Lucene search
K

650 matches found

NVD
NVD
added 2026/05/13 7:17 p.m.36 views

CVE-2026-8466

Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboyreq:readpart/3 in src/cowboyreq.erl accumulates incoming request bytes into a Buffer binary with no upper-bound chec...

8.2CVSS0.00382EPSS
Exploits0References3
OSV
OSV
added 2026/05/13 7:17 p.m.6 views

UBUNTU-CVE-2026-8466

Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboyreq:readpart/3 in src/cowboyreq.erl accumulates incoming request bytes into a Buffer binary with no upper-bound chec...

8.2CVSS5.8AI score0.00382EPSS
Exploits0References5
NVD
NVD
added 2026/05/13 4:16 p.m.13 views

CVE-2026-42934

NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpcharsetmodule module. When charset, sourcecharset, and charsetmap and proxypass with disabled buffering "off" directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' contr...

6.3CVSS0.00717EPSS
Exploits0References1
OSV
OSV
added 2026/05/13 4:16 p.m.3 views

ALPINE-CVE-2026-42934

NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpcharsetmodule module. When charset, sourcecharset, and charsetmap and proxypass with disabled buffering "off" directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' contr...

6.3CVSS6.1AI score0.00717EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/05/13 2:12 p.m.9 views

CVE-2026-42934

NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpcharsetmodule module. When charset, sourcecharset, and charsetmap and proxypass with disabled buffering "off" directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' contr...

6.3CVSS5.9AI score0.00717EPSS
Exploits0
CVE
CVE
added 2026/05/13 2:12 p.m.55 views

CVE-2026-42934

The CVE-2026-42934 entry concerns NGINX Plus and NGINX Open Source with a vulnerability in the ngx_http_charset_module. When charset, source_charset, and charset_map are configured together with proxy_pass having buffering disabled, unauthenticated attackers can trigger a heap buffer over-read in...

6.3CVSS5.9AI score0.00717EPSS
Exploits0References1Affected Software7
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.14 views

PT-2026-40679

Name of the Vulnerable Software and Affected Versions NGINX Plus affected versions not specified NGINX Open Source affected versions not specified Description A heap buffer over-read exists in the ngx http charset module module. This occurs when the charset, source charset, charset map, and proxy...

6.3CVSS6.1AI score0.00717EPSS
Exploits0References63
CVE
CVE
added 2026/05/12 8:37 p.m.24 views

CVE-2026-44240

CVE-2026-44240 affects the Node.js FTP client basic-ftp . Before version 5.3.1, the client is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious FTP server can send an unterminated multiline response during the initial banner phase, causi...

7.5CVSS5.9AI score0.00465EPSS
Exploits0References1
OSV
OSV
added 2026/05/11 5:31 p.m.3 views

BIT-LIBPYTHON-2025-13836 Excessive read buffering DoS in http.client

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS...

7.5CVSS6.7AI score0.01525EPSS
Exploits0References10
OSV
OSV
added 2026/05/08 11:49 a.m.20 views

BIT-PYTHON-2025-13836 Excessive read buffering DoS in http.client

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS...

7.5CVSS6.7AI score0.01525EPSS
Exploits0References10
OSV
OSV
added 2026/05/08 11:49 a.m.6 views

BIT-PYTHON-MIN-2025-13836 Excessive read buffering DoS in http.client

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS...

7.5CVSS6.7AI score0.01525EPSS
Exploits0References10
OSV
OSV
added 2026/05/07 3:52 a.m.7 views

GHSA-Q6V9-R226-V65F Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhaustion

Summary Bandit's HTTP/2 parser checks frame size after it has already buffered the full body, instead of when it sees the 9-byte header. A peer can announce a 16 MiB frame on a connection that agreed to 16 KiB frames and the server will silently buffer up to 1024× the agreed budget per connection...

6.9CVSS5.8AI score0.0051EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/07 12:0 a.m.18 views

PT-2026-38399

Name of the Vulnerable Software and Affected Versions Netty affected versions not specified Description Resource exhaustion occurs because the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. In the MqttDecoder class, the decodeVariableHeader...

9.8CVSS5.8AI score0.00515EPSS
Exploits1References410
Cvelist
Cvelist
added 2026/05/06 8:58 p.m.33 views

CVE-2026-41483 Unbounded HTTP response body read in OpenTelemetry.Resources.Azure

OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker w...

5.9CVSS0.00323EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/05/06 7:37 p.m.10 views

NPM: basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering

NPM: basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering vulnerability discovered by ? in WordPress Npm basic-ftp versions = 5.3.0...

7.5CVSS5.8AI score0.00465EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 7:37 p.m.8 views

basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering

Summary basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending...

7.5CVSS6AI score0.00465EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/06 7:37 p.m.5 views

GHSA-RPMF-866Q-6P89 basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering

Summary basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending...

7.5CVSS6AI score0.00465EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/01 8:34 p.m.3 views

CVE-2026-42788

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames. 'Elixir.Bandit.HTTP2.Frame':deserialize/2 in lib/bandit/http2/frame.ex checks the SETTINGSMAXFRAMESIZE limit only after pattern-matching...

6.9CVSS5.9AI score0.0051EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/05/01 8:34 p.m.40 views

CVE-2026-42788 HTTP/2 frame size limit checked after body is buffered in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames. 'Elixir.Bandit.HTTP2.Frame':deserialize/2 in lib/bandit/http2/frame.ex checks the SETTINGSMAXFRAMESIZE limit only after pattern-matching...

6.9CVSS0.0051EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/29 6:30 p.m.20 views

OpenTelemetry.Resources.Azure has an unbounded HTTP response body read

Summary OpenTelemetry.Resources.Azure reads unbounded HTTP response bodies from the Azure VM remote instance metadata service endpoint into memory. This would allow an attacker-controlled endpoint or one acting as a Man-in-the-Middle MitM to cause excessive memory allocation and possible process...

5.9CVSS5.5AI score0.00323EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder