CVE-2026-42304

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service DoS attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending...

SUSE-SU-2026:21382-1 Security update for python-Pillow

This update for python-Pillow fixes the following issue: - CVE-2026-40192: Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks bsc1262184...

CVE-2026-5438

CVE-2026-5438 describes a gzip decompression bomb vulnerability in Orthanc when processing HTTP requests with Content-Encoding: gzip. The server does not enforce decompressed size limits and may allocate memory based on attacker-controlled compression metadata, potentially leading to memory exhau...

CVE-2026-25140

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in...

EUVD-2025-206333

Next.js has Unbounded Memory Consumption via PPR Resume Endpoint...

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...

Important: Red Hat Security Advisory: fence-agents security update

An update for fence-agents is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

RockyLinux 10 : brotli (RLSA-2026:0845)

The remote RockyLinux 10 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:0845 advisory. Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS CVE-2025-6176 Tenable has extracted the preceding description block directly from the...

Allocation of Resources Without Limits or Throttling

Overview org.bitbucket.bc:jose4j is a robust and easy to use open source implementation of JSON Web Token JWT and the JOSE specification suite JWS, JWE, and JWK. It is written in Java and relies solely on the JCA APIs for cryptography. Please see https://bitbucket.org/bc/jose4j/wiki/Home for more...

Allocation of Resources Without Limits or Throttling

Overview urllib3 is a HTTP library with thread-safe connection pooling, file post, and more. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling during the decompression of compressed response data. An attacker can cause excessive CPU and memor...

PT-2025-46207

Name of the Vulnerable Software and Affected Versions Bugsink versions prior to 2.0.5 Description Bugsink is a self-hosted error tracking tool susceptible to a Denial of Service. Specifically, specially crafted brotli compressed data streams, known as “bombs” highly compressed brotli streams...

Unity Linux 20.1070e Security Update: skopeo (UTSA-2025-068548)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-068548 advisory. Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed...

EUVD-2024-1996

Malicious code in bioql PyPI...

EUVD-2021-8998

Malicious code in bioql PyPI...

UBUNTU-CVE-2024-45700

Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, which will cause the server to allocate an excessive amount of memory and perform CPU-intensive decompression operations, ultimately leading t...

OESA-2024-1473 cri-o security update

Open Container Initiative-based implementation of Kubernetes Container Runtime Interface. Security Fixes: Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amount...

AZL-35901 CVE-2024-28180 affecting package packer for versions less than 1.9.5-6

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if t...

AZL-43831 CVE-2024-28180 affecting package buildah 1.18.0-29

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if t...

AZL-35860 CVE-2024-28180 affecting package skopeo for versions less than 1.14.2-9

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if t...

File Upload Vulnerability in MetInfo 7.1.0 Backend of Changsha Mito Information Technology Co.

MetInfo is an open source free CMS building system suitable for enterprise building. Changsha Mito Information Technology Co., Ltd MetInfo 7.1.0 file upload vulnerability exists in the background, attackers can exploit the vulnerability to upload malicious compressed packages and then decompress...