43 matches found
Astra Linux – Vulnerability in libmicrohttpd
GNU libmicrohttpd before version 0.9.76 allowed remote Denial of Service attacks due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHDcreatepostprocessor method. This allowed attackers to remotely send a malicious HTTP POST packet that included one or more '\0' byte...
Updated ruby-rack packages fix security vulnerabilities
CVE-2026-26961 Greedy multipart boundary parsing can cause parser differentials and WAF bypass. Forwarded header semicolon injection enables Host and Scheme spoofing. CVE-2026-34230 Quadratic complexity in Rack::Utils.selectbestencoding via wildcard Accept-Encoding header. CVE-2026-34763 Root...
CVE-2026-28525
SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoosemultipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing...
CVE-2026-28525 SWUpdate Integer Underflow in Multipart Upload Parser
SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoosemultipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing...
CVE-2026-28525
SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoosemultipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing...
SUSE CVE-2026-26961
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
Summary Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermedia...
CVE-2026-26961
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...
DEBIAN-CVE-2026-26961
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...
UBUNTU-CVE-2026-26961
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...
CVE-2026-26961 Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...
CVE-2026-33069
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsipmultipartparse. After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This...
CVE-2026-33069
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsipmultipartparse. After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This...
PT-2026-26586
PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip multipart parse. After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This...
openSUSE 16 Security Update : python-uv (openSUSE-SU-2026:20026-1)
The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20026-1 advisory. - CVE-2025-62518: astral-tokio-tar: Fixed boundary parsing issue allowing attackers to smuggle additional archive entries bsc1252399 -...
SUSE-SU-2026:20077-1 Security update for python-uv
This update for python-uv fixes the following issues: - CVE-2025-62518: astral-tokio-tar: Fixed boundary parsing issue allowing attackers to smuggle additional archive entries bsc1252399 - CVE-2025-58160: tracing-subscriber: Fixed log pollution bsc1249011...
OPENSUSE-SU-2026:20026-1 Security update for python-uv
This update for python-uv fixes the following issues: - CVE-2025-62518: astral-tokio-tar: Fixed boundary parsing issue allowing attackers to smuggle additional archive entries bsc1252399 - CVE-2025-58160: tracing-subscriber: Fixed log pollution bsc1249011...
Siemens SIMATIC S7-1500 Improper Input Validation (CVE-2023-27371)
GNU libmicrohttpd before 0.9.76 allows remote DoS Denial of Service due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHDcreatepostprocessor method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a...
Linux Distros Unpatched Vulnerability : CVE-2025-62518
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability...
CVE-2025-62518
astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives...