Lucene search
K

43 matches found

AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.5 views

Astra Linux – Vulnerability in libmicrohttpd

GNU libmicrohttpd before version 0.9.76 allowed remote Denial of Service attacks due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHDcreatepostprocessor method. This allowed attackers to remotely send a malicious HTTP POST packet that included one or more '\0' byte...

5.9CVSS6.3AI score0.01243EPSS
Exploits1References1
Mageia
Mageia
added 2026/06/18 9:28 p.m.10 views

Updated ruby-rack packages fix security vulnerabilities

CVE-2026-26961 Greedy multipart boundary parsing can cause parser differentials and WAF bypass. Forwarded header semicolon injection enables Host and Scheme spoofing. CVE-2026-34230 Quadratic complexity in Rack::Utils.selectbestencoding via wildcard Accept-Encoding header. CVE-2026-34763 Root...

7.5CVSS5AI score0.00475EPSS
Exploits2References13
NVD
NVD
added 2026/04/23 9:16 p.m.10 views

CVE-2026-28525

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoosemultipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing...

8.2CVSS0.00316EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/23 8:59 p.m.37 views

CVE-2026-28525 SWUpdate Integer Underflow in Multipart Upload Parser

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoosemultipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing...

8.2CVSS0.00316EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/04/23 8:59 p.m.4 views

CVE-2026-28525

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoosemultipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing...

8.2CVSS5.9AI score0.00316EPSS
Exploits0
SUSE CVE
SUSE CVE
added 2026/04/03 11:26 p.m.3 views

SUSE CVE-2026-26961

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...

3.7CVSS5.8AI score0.00253EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/02 8:30 p.m.11 views

Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.

Summary Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermedia...

5.3CVSS5.9AI score0.00253EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/04/02 5:16 p.m.5 views

CVE-2026-26961

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...

5.3CVSS0.00253EPSS
Exploits0References1
OSV
OSV
added 2026/04/02 5:16 p.m.1 views

DEBIAN-CVE-2026-26961

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...

5.3CVSS5.3AI score0.00253EPSS
Exploits0References1
OSV
OSV
added 2026/04/02 5:16 p.m.4 views

UBUNTU-CVE-2026-26961

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...

5.3CVSS5.8AI score0.00253EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/02 4:42 p.m.17 views

CVE-2026-26961 Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...

3.7CVSS0.00253EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/03/20 8:21 a.m.3 views

CVE-2026-33069

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsipmultipartparse. After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This...

7.5CVSS5.6AI score0.0026EPSS
Exploits0
Debian CVE
Debian CVE
added 2026/03/20 8:21 a.m.4 views

CVE-2026-33069

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsipmultipartparse. After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This...

7.5CVSS5.5AI score0.0026EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.3 views

PT-2026-26586

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip multipart parse. After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This...

6.9CVSS6AI score0.0026EPSS
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2026/01/16 12:0 a.m.6 views

openSUSE 16 Security Update : python-uv (openSUSE-SU-2026:20026-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20026-1 advisory. - CVE-2025-62518: astral-tokio-tar: Fixed boundary parsing issue allowing attackers to smuggle additional archive entries bsc1252399 -...

8.1CVSS8.6AI score0.00688EPSS
Exploits1References6
OSV
OSV
added 2026/01/13 12:49 p.m.5 views

SUSE-SU-2026:20077-1 Security update for python-uv

This update for python-uv fixes the following issues: - CVE-2025-62518: astral-tokio-tar: Fixed boundary parsing issue allowing attackers to smuggle additional archive entries bsc1252399 - CVE-2025-58160: tracing-subscriber: Fixed log pollution bsc1249011...

8.1CVSS6.1AI score0.00688EPSS
Exploits1References5
OSV
OSV
added 2026/01/13 12:48 p.m.7 views

OPENSUSE-SU-2026:20026-1 Security update for python-uv

This update for python-uv fixes the following issues: - CVE-2025-62518: astral-tokio-tar: Fixed boundary parsing issue allowing attackers to smuggle additional archive entries bsc1252399 - CVE-2025-58160: tracing-subscriber: Fixed log pollution bsc1249011...

8.1CVSS6.1AI score0.00688EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2025/11/13 12:0 a.m.6 views

Siemens SIMATIC S7-1500 Improper Input Validation (CVE-2023-27371)

GNU libmicrohttpd before 0.9.76 allows remote DoS Denial of Service due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHDcreatepostprocessor method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a...

5.9CVSS6.7AI score0.01243EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2025/10/27 12:0 a.m.4 views

Linux Distros Unpatched Vulnerability : CVE-2025-62518

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability...

8.1CVSS6.1AI score0.00688EPSS
Exploits1References3
NVD
NVD
added 2025/10/21 5:15 p.m.10 views

CVE-2025-62518

astral-tokio-tar is a tar archive reading/writing library for async Rust. Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives...

8.1CVSS0.00688EPSS
Exploits1References5
Rows per page
Query Builder