CVE-2026-54314

CVE-2026-54314 affects n8n, an open-source workflow automation platform. The vulnerability lies in the Compression node’s Decompress operation, which prior to version 2.24.0 expired output-size limits and could expand attacker-controlled archives in memory, allowing an unauthenticated attacker to...

n8n: Denial of Service via ZIP decompression in webhook workflow

Impact The Compression node's Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker could send a small compressed archive to a public webhook workflow using this node, causing the n8n process to...

NPM: n8n: Denial of Service via ZIP decompression in webhook workflow

NPM: n8n: Denial of Service via ZIP decompression in webhook workflow vulnerability discovered by ? in WordPress Npm n8n versions 2.24.0...

CVE-2026-49755

Improper Handling of Highly Compressed Data Data Amplification vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decodebody/1 and...

CVE-2026-42886 Audiobookshelf: Memory amplification DoS via oversized compressed details entry in backup upload

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/backups/upload endpoint decompresses the details entry from an uploaded .audiobookshelf ZIP file entirely into memory using zip.entryData, with no limit on the decompressed size. The upload middleware als...

JWCrypto: JWE ZIP decompression bomb

Summary The fix for GHSA-j857-7rvv-vj97 in v1.5.6 is weak in that it does not allow to fully control the amount of plaintext the receiver is willing to deal with and provides just a weak upper bound. The patch limits input token size to 250KB but does not validate the decompressed output size. An...

CVE-2026-39373 JWCrypto: JWE ZIP decompression bomb

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate th...

CVE-2026-39373 JWCrypto: JWE ZIP decompression bomb

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate th...

CVE-2026-39373

CVE-2026-39373 affects JWCrypto (Python) prior to 1.5.7. An unauthenticated attacker can trigger memory exhaustion by sending crafted JWE tokens using ZIP compression; a token under 250 KB can decompress to ~100 MB. The fix is version 1.5.7. This follows CVE-2024-28102: while the 250 KB input lim...

CVE-2026-32630 file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry

file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer, fileTypeFromBlob, or fileTypeFromFile. The ZIP inflate output limit is enforced for...

CVE-2026-32630 file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry

file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer, fileTypeFromBlob, or fileTypeFromFile. The ZIP inflate output limit is enforced for...

CVE-2026-32630

CVE-2026-32630 (file-type) affects the file-type library. A crafted ZIP can cause excessive memory growth during type detection in versions 20.0.0–21.3.1 for APIs fileTypeFromBuffer(), fileTypeFromBlob(), and fileTypeFromFile(). The ZIP inflate limit was enforced for stream-based detection but no...

GHSA-96PC-27RX-PR36 ImageMagick has Possible Heap Information Disclosure in PSD ZIP Decompression

Description A heap information disclosure vulnerability exists in ImageMagick's PSD Adobe Photoshop format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the...

CVE-2026-24481 ImageMagick has Possible Heap Information Disclosure in PSD ZIP Decompression

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap information disclosure vulnerability exists in ImageMagick's PSD Adobe Photoshop format handler. When processing a maliciously crafted PSD file containin...

CVE-2026-24481

CVE-2026-24481 affects ImageMagick’s PSD (Adobe Photoshop) format handler. Affected: prior to 7.1.2-15 and 6.9.13-40, where processing a PSD with ZIP-compressed layer data that decompresses to less than the expected size leaks uninitialized heap memory into the output image. Patch exists in 7.1.2...

CVE-2026-24481 ImageMagick has Possible Heap Information Disclosure in PSD ZIP Decompression

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap information disclosure vulnerability exists in ImageMagick's PSD Adobe Photoshop format handler. When processing a maliciously crafted PSD file containin...

EUVD-2017-1597

Malware in sbrugna...

EUVD-2020-24405

Malware in sbrugna...

EUVD-2020-18712

Malware in sbrugna...

Chall-Manager 安全漏洞

Chall-Manager is an open source project from CTFer.io open source. A security vulnerability exists in Chall-Manager versions prior to 0.1.4, which stems from a failure to check the size of the contents when decompressing a zip file, which could lead to a zip bomb decompression...