33 matches found
EUVD-2026-38446
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decodeeach/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many...
CVE-2026-45185
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS closenotify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to...
USN-8270-1: Exim vulnerability
It was discovered that Exim incorrectly handled BDAT body parsing. A remote attacker could use this issue to cause Exim to crash, resulting in a denial of service, or possibly execute arbitrary code...
CVE-2026-45185
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS closenotify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to...
CVE-2026-35665
OpenClaw CVE-2026-35665 details a Denial of Service via pre-auth body parsing in the Feishu webhook handler. The Feishu extension still uses permissive pre-auth limits (1 MB body, 30 s timeout) before signature verification, unlike other webhook handlers that were patched to 64 KB / 5 s. Attacker...
GHSA-P464-M8X6-VHV8 OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion
Summary MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still parses Teams JSON after only a Bearer-prefix gate and before real JWT validation, and the...
PT-2026-29846
Name of the Vulnerable Software and Affected Versions TP-Link Tapo C520WS version 2.6 Description A heap-based buffer overflow exists in the HTTP POST body parsing logic due to insufficient boundary validation and missing validation of remaining buffer capacity after dynamic allocation when...
GHSA-W6M8-CQVJ-PG5V OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant)
Fixed in OpenClaw 2026.3.24, the current shipping release. Advisory Details Title: Incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS Slow-Body / Slowloris Variant Description: Summary The patch for CVE-2026-32011 tightened pre-auth body parsing limits from 1MB/30s to...
GHSA-3H52-CX59-C456 OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
Summary Feishu webhook reads and parses unauthenticated request bodies before signature validation Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details Feishu...
Allocation of Resources Without Limits or Throttling
Overview @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /server-islands/name route handler, which buffers and parses the entire request body as JSON without enforcing a size...
CVE-2026-32011 OpenClaw < 2026.3.2 - Slow-Request Denial of Service via Pre-Auth Webhook Body Parsing
OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request...
CVE-2023-25578
Starlite is an Asynchronous Server Gateway Interface ASGI framework. Prior to version 1.5.2, the request body parsing in starlite allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and ...
EUVD-2025-33748
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, Rack::RequestPOST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.readnil without enforcing a length or cap. Large request bodies can therefo...
CVE-2025-61919 Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, Rack::RequestPOST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.readnil without enforcing a length or cap. Large request bodies can therefo...
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
Summary Rack::RequestPOST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.readnil without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of...
EUVD-2022-1032
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2021-46336
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - There is an Assertion 'opts & PARSERCLASSLITERALCTORPRESENT' failed at /parser/js/js-parser- expr.cparserparseclassbody in JerryScript 3.0.0. CVE-2021-46336 Not...
CVE-2024-22080
An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Unauthenticated memory corruption can occur during XML body parsing...
CVE-2020-27196
An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint that may or may not expect JSON payloads causes a StackOverflowError and Denial of...
CVE-2024-45590 body-parser vulnerable to denial of service when url encoding is enabled
body-parser is Node.js body parsing middleware. body-parser 1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in...