CVE-2026-44247

CVE-2026-44247 : Volcano’s webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the ...

tomcat6: Fix of CVE-2026-41284

CVE-2026-41284: tomcat6: WebDAV LOCK/PROPFIND unbounded request body DoS...

@evomap/evolver has an unbounded request body in proxy /asset/submit that causes persistent disk-exhaustion DoS

Summary The EvoMap proxy daemon's HTTP body parser accepts requests of any size, and the POST /asset/submit route persists the full request body — verbatim and uncapped — as a JSONL line in /messages.jsonl. An unauthenticated local attacker other local user, container neighbor, or malicious npm...

GHSA-7XP7-M392-H92C @evomap/evolver has an unbounded request body in proxy /asset/submit that causes persistent disk-exhaustion DoS

Summary The EvoMap proxy daemon's HTTP body parser accepts requests of any size, and the POST /asset/submit route persists the full request body — verbatim and uncapped — as a JSONL line in /messages.jsonl. An unauthenticated local attacker other local user, container neighbor, or malicious npm...

CVE-2026-21388 Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint

Mattermost Plugins versions =2.3.1 fail to limit the request body size on the /lifecycle webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610...

CVE-2026-21388

CVE-2026-21388 affects Mattermost Plugins versions

PT-2026-31784

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server server.py reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default no token...

DEBIAN-CVE-2026-33034

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...

PYSEC-2026-49

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...

Allocation of Resources Without Limits or Throttling

Overview @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /server-islands/name route handler, which buffers and parses the entire request body as JSON without enforcing a size...

CVE-2026-29772 Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achiev...

CVE-2026-30955

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is...

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...