Lucene search
+L

291 matches found

OSV
OSV
added 2026/04/06 3:40 p.m.6 views

CVE-2026-34756 vLLM Affected by Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server

vLLM is an inference and serving engine for large language models LLMs. From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionReques...

6.5CVSS6AI score0.00346EPSS
Exploits0References10
OSV
OSV
added 2026/04/06 2:49 p.m.7 views

BIT-PARSE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A singl...

8.2CVSS5.7AI score0.00463EPSS
Exploits0References6
VulnCheck KEV
VulnCheck KEV
added 2026/04/06 12:0 a.m.17 views

VulnCheck KEV: CVE-2023-49606

A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make ...

9.8CVSS6AI score0.63076EPSS
In wildExploits2References22
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.12 views

VulnCheck KEV: CVE-2022-3254

The WordPress Classifieds Plugin WordPress plugin before 4.3 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection...

9.8CVSS5.9AI score0.05103EPSS
In wildExploits2References2
NVD
NVD
added 2026/03/31 4:16 p.m.8 views

CVE-2026-34573

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...

8.2CVSS0.00463EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/03/31 3:6 p.m.25 views

CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...

8.2CVSS0.00463EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/31 3:6 p.m.3 views

CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads...

8.2CVSS5.7AI score0.00463EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/28 2:26 a.m.3 views

CVE-2025-12886 Oxygen <= 6.0.8 - Unauthenticated Server-Side Request Forgery via route_path

The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laboratorcalcroute AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web applicati...

7.2CVSS5.9AI score0.0019EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.5 views

CVE-2026-29772

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achiev...

7.5CVSS5.8AI score0.0037EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:1 p.m.6 views

CVE-2026-33498

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server...

8.7CVSS5.7AI score0.00483EPSS
Exploits0References1
OSV
OSV
added 2026/03/24 7:29 p.m.14 views

GHSA-3RMJ-9M5H-8FPV Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

Summary Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves 15x memory amplification wire bytes to...

5.9CVSS5.9AI score0.0037EPSS
Exploits1References5
NVD
NVD
added 2026/03/24 7:16 p.m.6 views

CVE-2026-33498

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server...

8.7CVSS0.00452EPSS
Exploits0References5
NVD
NVD
added 2026/03/24 7:16 p.m.5 views

CVE-2026-29772

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achiev...

7.5CVSS0.0037EPSS
Exploits1References1
CVE
CVE
added 2026/03/24 6:38 p.m.10 views

CVE-2026-29772

Astro Server Islands vulnerability CVE-2026-29772 affects Astro SSR apps using the Node standalone adapter prior to version 10.0.0. The POST handler buffers the entire request body and parses it as JSON without any size limit, causing JSON.parse() to allocate many V8 objects and produce memory am...

7.5CVSS5.8AI score0.0037EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/03/24 6:38 p.m.4 views

CVE-2026-29772 Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achiev...

5.9CVSS5.8AI score0.0037EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/21 3:27 a.m.30 views

CVE-2026-4143 Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update

The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncffaddpluginpage function which handles settings updates. This makes it possible for unauthenticated...

4.3CVSS0.00128EPSS
Exploits0References5
OSV
OSV
added 2026/03/20 8:56 p.m.4 views

GHSA-9FJP-Q3C4-6W3J Parse Server has a query condition depth bypass via pre-validation transform pipeline

Impact An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. Patches The...

8.7CVSS5.9AI score0.00452EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.9 views

PT-2026-26782

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.55 Parse Server versions prior to 9.6.0-alpha.44 Description An unauthenticated attacker can send a crafted HTTP request with a deeply nested query containing logical operators, causing the Parse Server proce...

8.7CVSS5.8AI score0.00452EPSS
Exploits0References9
Snyk
Snyk
added 2026/03/19 12:42 p.m.1 views

Missing Authentication for Critical Function

Overview nltk is a Natural Language Toolkit NLTK is a Python package for natural language processing. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in WordNet Browser HTTP server in default configuration. An attacker can cause the service to...

8.2CVSS5.8AI score0.00875EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/07 7:22 a.m.33 views

CVE-2026-1073 Purchase Button For Affiliate Link <= 1.0.2 - Cross-Site Request Forgery to Settings Update

The Purchase Button For Affiliate Link plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing nonce validation on the settings page form handler in inc/purchase-btn-options-page.php. This makes it possible for...

4.3CVSS0.00126EPSS
Exploits0References3
Rows per page
Query Builder