Wowza Streaming Engine Manager 4.7.4.01 - Directory Traversal

Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request to the REST API. id: CVE-2018-19365 info: name: Wowza Streaming Engine Manager 4.7.4.01 - Directory Traversal author: 0xAkoko severity: critical...

EUVD-2026-38630

When using the "tarfile" module with a file opened in "streaming mode" mode="r|" the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop...

CVE-2026-11972

When using the "tarfile" module with a file opened in "streaming mode" mode="r|" the tarfile module did not properly handle EOF, making archive parsing take exponentially longer...

CVE-2026-11972

When using the "tarfile" module with a file opened in "streaming mode" mode="r|" the tarfile module did not properly handle EOF, making archive parsing take exponentially longer...

PSF-2026-31

When using the "tarfile" module with a file opened in "streaming mode" mode="r|" the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop...

CVE-2026-11972

CVE-2026-11972: The Python tarfile module may loop indefinitely when parsing archives opened in streaming mode (mode="r|") due to improper EOF handling. Affects the tarfile parsing path and could cause high impact availability issues; the description confirms the root cause but the connected docu...

CVE-2026-11972 tarfile opened in streaming mode mishandles EOF

When using the "tarfile" module with a file opened in "streaming mode" mode="r|" the tarfile module did not properly handle EOF, making archive parsing take exponentially longer...

Important: Red Hat Security Advisory: OpenShift Container Platform 4.22.2 security and extras update

Red Hat OpenShift Container Platform release 4.22.2 is now available with updates to packages and images that fix several bugs. This release includes a security update for Red Hat OpenShift Container Platform 4.22. Red Hat Product Security has rated this update as having a security impact of...

Security Advisory 0143

Security Advisory 0143 PDF Date: June 23, 2026 Revision | Date | Changes ---|---|--- 1.0 | Jun 23, 2026 | Initial release Description All of the CVEs covered in this advisory apply to affected platforms running Arista EOS with the Streaming Telemetry Agent aka TerminAttr enabled. This issue...

CVE-2026-54236 vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router

vLLM is an inference and serving engine for large language models LLMs. Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitizemessage helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo...

urllib3: urllib3 Streaming API improperly handles highly compressed data

A decompression handling flaw has been discovered in urllib3. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header e.g., gzip, deflate, br, or zstd. The library must read compressed data from the network and decompress it...

urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP...

UBUNTU-CVE-2026-53538

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

UBUNTU-CVE-2026-53537

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

UBUNTU-CVE-2026-53539

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...

UBUNTU-CVE-2026-53540

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parseform did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded...

Linux Distros Unpatched Vulnerability : CVE-2026-49337

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes...

Linux Distros Unpatched Vulnerability : CVE-2026-9375

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API preloadcontent=False when using Brotli support. The issue arises due to...

CVE-2026-49337

CVE-2026-49337 affects libde265 prior to 1.0.20. A crafted sequence of H.265 NAL units lets decoder_context::read_slice_NAL() attach slice headers to a finished picture object with no active image unit, causing attacker-controlled unbounded heap growth. The headers are retained until the picture ...

DEBIAN-CVE-2026-9375

urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API preloadcontent=False when using Brotli support. The issue arises due to three independent code paths in response.py that bypass the maxlength protection introduced in version 2.6.0 to mitigate CVE-2025-66471...