Lucene search
K

145 matches found

Github Security Blog
Github Security Blog
added 2026/05/29 5:52 p.m.13 views

ExifReader is vulnerable to denial of service via unbounded decompression of image metadata

Impact Versions of ExifReader from 4.20.0 through 4.38.1 do not bound the size of decompressed metadata blocks. When a caller invokes the asynchronous API e.g. ExifReader.loadfile or ExifReader.loadbuffer, async: true on an attacker-supplied image, a small compressed chunk in the file can expand ...

6.9CVSS5.8AI score0.00464EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.23 views

PT-2026-44130

Name of the Vulnerable Software and Affected Versions CrowdSec LAPI affected versions not specified Description The LAPI router utilizes the gin-contrib/gzip middleware with DefaultDecompressHandle globally in pkg/apiserver/controllers/controller.go. This middleware decompresses incoming request...

8.2CVSS5.3AI score0.00115EPSS
Exploits0References5
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in curl

curl 7.84.0 supports “chained” HTTP compression algorithms, which means that a server response can be compressed multiple times, possibly using different algorithms. The number of allowable “links” in this decompression chain is unlimited, allowing a malicious server to insert virtually an...

6.5CVSS6.8AI score0.3197EPSS
Exploits1References2
OSV
OSV
added 2026/05/13 7:17 p.m.5 views

UBUNTU-CVE-2026-43970

Improper Handling of Highly Compressed Data Data Amplification vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cowspdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY...

8.2CVSS5.8AI score0.00511EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/05/13 6:43 p.m.9 views

CVE-2026-43970

Improper Handling of Highly Compressed Data Data Amplification vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cowspdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY...

8.2CVSS5.8AI score0.00511EPSS
Exploits0References4Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/04 12:38 p.m.6 views

Security Bulletin: Denial of Service in urllib3 via Unbounded Decompression of Redirect Responses

Summary urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on t...

8.9CVSS6.8AI score0.02667EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/04 12:37 p.m.11 views

Security Bulletin:urllib3 Unbounded Decompression Chain Enables Denial of Service

Summary urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massiv...

8.9CVSS6.9AI score0.00633EPSS
Exploits0Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/04/16 12:0 a.m.5 views

AlmaLinux 8 : fence-agents (ALSA-2026:1240)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:1240 advisory. urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion CVE-2025-66418 urllib3: urllib3 Streaming API improperly handles highly...

8.9CVSS5.9AI score0.02667EPSS
Exploits0References5
OSV
OSV
added 2026/04/09 12:31 a.m.2 views

GHSA-C3F2-QG8V-25Q2 Duplicate Advisory: Unfurl's unbounded zlib decompression allows decompression bomb DoS

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h5qv-qjv4-pc5m. This link is maintained to preserve external references. Original Description Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parsecompressed.py that allows remote...

8.7CVSS5.8AI score0.00508EPSS
Exploits1References6
CVE
CVE
added 2026/04/08 9:35 p.m.16 views

CVE-2026-40036

Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that lets remote attackers trigger denial of service by submitting highly compressed payloads via URL parameters to the /json/visjs endpoint, expanding to gigabytes and exhausting server memory. CV...

8.7CVSS6AI score0.00508EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/04/08 9:35 p.m.21 views

CVE-2026-40036 Unfurl < 2026.04 - Denial of Service via Unbounded zlib Decompression

Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parsecompressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server...

8.7CVSS0.00508EPSS
Exploits1References3
AlpineLinux
AlpineLinux
added 2026/04/08 9:35 p.m.7 views

CVE-2026-40036

Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parsecompressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server...

8.7CVSS5.8AI score0.00508EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/08 12:16 a.m.9 views

Improper Handling of Highly Compressed Data (Data Amplification)

Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification through the JWE decompression that has no upper limit for plaintext size. An attacker can exhaust system memory by sending specially crafted compressed tokens that decompres...

7.5CVSS6.6AI score0.0098EPSS
Exploits2References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.6 views

CVE-2026-23943

Improper Handling of Highly Compressed Data Compression Bomb vulnerability in Erlang OTP ssh sshtransport modules allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication...

6.9CVSS5.8AI score0.00644EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/03/16 12:0 a.m.4 views

EulerOS 2.0 SP11 : python-urllib3 (EulerOS-SA-2026-1591)

According to the versions of the python-urllib3 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the...

8.9CVSS6.5AI score0.00633EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/03/15 12:0 a.m.4 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-urllib3 (UTSA-2026-006157)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006157 advisory. urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded...

8.9CVSS6.7AI score0.00633EPSS
Exploits0References4
UbuntuCve
UbuntuCve
added 2026/03/13 7:54 p.m.4 views

CVE-2026-23943

Improper Handling of Highly Compressed Data Compression Bomb vulnerability in Erlang OTP ssh sshtransport modules allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication...

6.9CVSS5.9AI score0.00644EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2026/03/05 11:15 a.m.9 views

Important: Red Hat Security Advisory: Red Hat OpenShift GitOps v1.17.5 security update

Important: Red Hat OpenShift GitOps v1.17.5 security update An update is now available for Red Hat OpenShift GitOps. Bug Fixes and Enhancements: GITOPS-8438 CVE-2025-12816 openshift-gitops-1/console-plugin-rhel8: node-forge: Interpretation conflict vulnerability allows bypassing cryptographic...

8.9CVSS6.9AI score0.02667EPSS
Exploits1References8
Ubuntu
Ubuntu
added 2026/02/25 8:43 p.m.8 views

USN-8065-1: Authlib vulnerabilities

Millie Solem discovered that Authlib did not properly restrict algorithm selection during JWT verification, allowing HMAC verification with asymmetric public keys when no algorithm was specified. A remote attacker could possibly use this issue to bypass signature verification and forge tokens,...

8.8CVSS5.7AI score0.00596EPSS
Exploits5
Tenable Nessus
Tenable Nessus
added 2026/02/17 12:0 a.m.5 views

RHEL 8 / 9 : Satellite 6.16.6.1 Async Update (Important) (RHSA-2026:2765)

The remote Redhat Enterprise Linux 8 / 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:2765 advisory. Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessit...

8.9CVSS5.8AI score0.02667EPSS
Exploits0References9
Rows per page
Query Builder