CVE-2026-10725

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per indexe...

CVE-2026-3114

Mattermost CVE-2026-3114 affects versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, and 10.11.x

Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: CVE-2025-69228: Fixed denial of service through large payloads bsc1256022. CVE-2025-69226: Fixed brute-force leak of internal static file path components bsc1256020. CVE-2025-69224: Fixed unicode processing of header values could cause...

Important: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.6 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

MiracleLinux 8 : python3.11-3.11.9-1.el8_10 (AXSA:2024-8471:15)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-8471:15 advisory. python: Path traversal on tempfile.TemporaryDirectory CVE-2023-6597 python: The zipfile module is vulnerable to zip-bombs leading to denial of servi...

GHSA-FFJ4-JQ7M-9G6V GuardDog Zip Bomb Vulnerability in safe_extract() Allows DoS

Summary GuardDog's safeextract function does not validate decompressed file sizes when extracting ZIP archives wheels, eggs, allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data...

netty-codec: netty-codec-compression: Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack

A flaw was found in Netty. With specially crafted input, BrotliDecoder and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service...

📄 Cinnamon kotaemon 0.11.0 ZIP Bomb

Cinnamon kotaemon version 0.11.0 zip bomb proof of concept denial of service exploit. ============================================================================================================================================= | Title : Cinnamon kotaemon v 0.11.0 ZIP Bomb Vulnerability in...

EUVD-2018-17299

Malware in sbrugna...

EUVD-2022-37385

Malicious code in bioql PyPI...

CVE-2025-53633 Chall-Manager's scenario decoding process does not check for zip bombs

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario i.e. a zip archive, the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication nor authorization, ...

Security Bulletin: IBM Storage Ceph is vulnerable to zip-bombs leading to denial of service in the RHEL UBI (CVE-2024-0450)

Summary RHEL UBI is used by IBM Storage Ceph as the base operating system. CVE-2024-0450 This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. Vulnerability Details CVEID:CVE-2024-0450 DESCRIPTION: An issue was found in the CPython zipfile module affecting...

CVE-2025-32949

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled which is the default setting, any registered user can upload an archive for importing. The code uses the yauzl library for reading...

GPT Academic 安全漏洞

GPT Academic is an interface that provides pragmatic interactions for LLM grand language models such as GPT/GLM. GPT Academic suffers from a security vulnerability that originates from a specially crafted zip bomb upload that can be exploited by an attacker to cause a memory exhaustion crash...

[SECURITY] [DLA 4054-1] tryton-client security update

Debian LTS Advisory DLA-4054-1 [email protected] https://www.debian.org/lts/security/ Daniel Leidert February 16, 2025 https://wiki.debian.org/LTS Package : tryton-client Version : 5.0.33-1+deb11u1 CVE ID : not yet available Debian Bug : none Cédric Krier has found that trytond, the...

Debian dla-4054 : tryton-client - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4054 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4054-1 [email protected] https://www.debian.org/lts/security/...

Security update for unbound

This update for unbound fixes the following issues: Update to 1.20.0: Features: The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. Merge GH1027: Introduce 'cache-min-negative-ttl' option...

[SECURITY] [DLA 4022-1] tryton-server security update

Debian LTS Advisory DLA-4022-1 [email protected] https://www.debian.org/lts/security/ Daniel Leidert January 19, 2025 https://wiki.debian.org/LTS Package : tryton-server Version : 5.0.33-2+deb11u3 CVE ID : not yet available Debian Bug : none Cédric Krier has found that trytond, the Tryt...

Debian dla-4022 : tryton-server - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4022 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4022-1 [email protected] https://www.debian.org/lts/security/...

Amazon Linux 2 : python38 (ALASPYTHON3.8-2024-016)

The version of python38 installed on the remote host is prior to 3.8.20-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2PYTHON3.8-2024-016 advisory. Directory traversal vulnerability in the 1 extract and 2 extractall functions in the tarfile module in Python...