Lucene search
K

13 matches found

Github Security Blog
Github Security Blog
added 2026/06/12 3:8 p.m.13 views

NIOExtras: NIOHTTPRequestDecompressor ratio limit bypass via inflated Content-Length

Impact When NIOHTTPRequestDecompressor is configured with .ratioN, the decompression limit is enforced using the Content-Length header value from the incoming request rather than the actual number of compressed bytes received. Since Content-Length is attacker-controlled, a malicious client can...

7.5CVSS7.4AI score0.01008EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/09 12:31 p.m.11 views

OESA-2026-2218 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. MultiPartParser allows remote attackers to degrade performance by submitting multipart uploads wi...

9.8CVSS5.8AI score0.00769EPSS
Exploits1References9
Tenable Nessus
Tenable Nessus
added 2026/05/08 12:0 a.m.28 views

Python Library Django 5.2.x < 5.2.14 / 6.0.x < 6.0.5 Multiple Vulnerabilities

The detected version of the Django Python package is 5.2.x prior to 5.2.14 or 6.0.x prior to 6.0.5. It is, therefore, affected by multiple vulnerabilities, including: - ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially...

6.5CVSS5.8AI score0.00544EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/05/08 12:0 a.m.13 views

Node.js Module axios < 1.15.1 Multiple Vulnerabilities

The version of the axios Node.js module installed on the remote host is prior to 1.15.1. It is, therefore, affected by multiple vulnerabilities: - Prototype pollution gadgets in axios allow response tampering, data exfiltration, and request hijacking. CVE-2026-42033 - Axios' HTTP adapter-streamed...

10CVSS6.6AI score0.01186EPSS
Exploits8References14
OSV
OSV
added 2026/05/05 6:33 p.m.9 views

GHSA-W26R-RMM8-9C29 Django has an Improper Handling of Length Parameter Inconsistency

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to ...

6.3CVSS5.8AI score0.00423EPSS
Exploits0References6
OSV
OSV
added 2026/04/07 5:31 p.m.7 views

USN-8154-1 python-django vulnerabilities

Seokchan Yoon discovered that Django incorrectly handled copying memory when parsing multipart uploads with excessive whitespace. A remote attacker could possibly use this issue to cause Django to use excessive resources, leading to a denial of service. CVE-2026-33033 It was discovered that Djang...

9.8CVSS5.8AI score0.00769EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/03/07 7:59 a.m.6 views

CVE-2026-28497

TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine Val allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. This can le...

9.3CVSS5.8AI score0.00467EPSS
Exploits1References1
NVD
NVD
added 2026/03/06 4:16 a.m.14 views

CVE-2026-28497

TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine Val allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. This can le...

9.3CVSS0.00467EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/06 2:51 a.m.4 views

EUVD-2026-9969

TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine Val allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. This can le...

9.3CVSS6AI score0.00467EPSS
Exploits1References2
CVE
CVE
added 2026/03/06 2:51 a.m.28 views

CVE-2026-28497

TinyWeb (Delphi, Win32) before version 2.03 contains an integer overflow in the string-to-integer conversion routine (_Val) that enables an unauthenticated remote attacker to bypass Content-Length checks and perform HTTP Request Smuggling. This affects servers using persistent connections (Keep-A...

9.3CVSS6AI score0.00467EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.8 views

PT-2026-23629

TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine Val allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. This can le...

9.3CVSS6AI score0.00467EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/02/25 12:0 a.m.8 views

rustfs 安全漏洞

RustFS is a high-performance object storage system developed by RustFS. Versions of RustFS from 1.0.0-alpha.56 to 1.0.0-alpha.82 contain security vulnerabilities. These vulnerabilities stem from unvalidated pre-signed POST uploads, which may allow bypassing content length limits, start conditions...

9.1CVSS5.8AI score0.00265EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2025/08/18 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2019-16786

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall...

7.5CVSS6.7AI score0.02545EPSS
Exploits0References2
Rows per page
Query Builder