Lucene search
K

80 matches found

Tenable Nessus
Tenable Nessus
added 2026/06/27 12:0 a.m.9 views

EulerOS 2.0 SP15 : python-pillow (EulerOS-SA-2026-2461)

According to the versions of the python-pillow packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP- compressed data read when decoding a...

8.7CVSS7.2AI score0.00671EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/06/22 8:56 p.m.5 views

urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP...

8.9CVSS6.7AI score0.02667EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.13 views

PT-2026-51014

Name of the Vulnerable Software and Affected Versions urllib3 version 2.6.3 Brotli version 1.2.0 Description A decompression bomb bypass exists in the streaming API preload content=False when Brotli support is used. This occurs because three independent code paths in response.py bypass the max...

7.5CVSS7.4AI score0.00304EPSS
Exploits0References15
RedhatCVE
RedhatCVE
added 2026/06/09 8:59 p.m.11 views

CVE-2026-49755

Improper Handling of Highly Compressed Data Data Amplification vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decodebody/1 and...

8.2CVSS5.5AI score0.00438EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/08 3:20 p.m.6 views

CVE-2026-49755

Improper Handling of Highly Compressed Data Data Amplification vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decodebody/1 and...

8.2CVSS5.5AI score0.00438EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/06/08 3:20 p.m.12 views

EUVD-2026-35098

Improper Handling of Highly Compressed Data Data Amplification vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decodebody/1 and...

8.2CVSS5.5AI score0.00438EPSS
Exploits0References4
CVE
CVE
added 2026/06/08 3:20 p.m.40 views

CVE-2026-49755

Technical details beyond what’s in the Initial Description are not provided in the connected documents. Monitor for updates for specifics on affected versions, root cause, and remediation.

8.2CVSS5.5AI score0.00438EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/06/08 12:0 a.m.16 views

req 安全漏洞

“req” is a simple Go HTTP client developed by a Roc individual using Black Magic. Versions of “req” from 0.1.0 to 0.6.1 contained security vulnerabilities. These vulnerabilities stemmed from improper handling of highly compressed data, which could allow an attacker-controlled HTTP server to exhau...

8.2CVSS5.4AI score0.00438EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/06 12:0 a.m.16 views

EulerOS Virtualization 2.13.1 : python-urllib3 (EulerOS-SA-2026-2147)

According to the versions of the python-urllib3 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP...

8.9CVSS6.9AI score0.02667EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/06 12:0 a.m.10 views

EulerOS Virtualization 2.13.0 : python-urllib3 (EulerOS-SA-2026-2186)

According to the versions of the python-urllib3 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP...

8.9CVSS5.8AI score0.02667EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/03 9:13 p.m.14 views

Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend

Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity XXE attacks to read local files or cause denial of service - Decompression bombs zip bombs to exhaust memory and disk space - Unbounded archive extraction...

7.1CVSS5.8AI score0.00113EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/03 9:13 p.m.14 views

GHSA-R3XG-RG9J-67FV Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend

Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity XXE attacks to read local files or cause denial of service - Decompression bombs zip bombs to exhaust memory and disk space - Unbounded archive extraction...

5.5CVSS5.8AI score0.00113EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.19 views

PT-2026-46120

Name of the Vulnerable Software and Affected Versions Docling versions 2.45.0 through 2.90.0 Description The METS-GBS backend's XML parsing and input document format detection lack security controls. This allows for XML External Entity XXE attacks, which occur when an XML parser improperly handle...

7.1CVSS5.8AI score0.00113EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.21 views

PT-2026-46105

Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity XXE attacks to read local files or cause denial of service - Decompression bombs zip bombs to exhaust memory and disk space - Unbounded archive extraction...

5.5CVSS5.8AI score
Exploits0References4
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.9 views

Tesla 安全漏洞

Tesla is an HTTP client software open-sourced by Elixir Tesla. Versions of Tesla from 0.6.0 to 1.18.3 contained security vulnerabilities. These vulnerabilities stemmed from the lack of restrictions on the size of decompressed data when processing highly compressed data, which could lead to...

8.2CVSS5.4AI score0.00329EPSS
Exploits0References5
OSV
OSV
added 2026/04/22 9:45 p.m.7 views

OPENSUSE-SU-2026:20617-1 Security update for python-Pillow

This update for python-Pillow fixes the following issue: - CVE-2026-40192: Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks bsc1262184...

8.7CVSS5.3AI score0.00671EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.5 views

PT-2026-33882

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.3 Description The OCI plugin downloader contains an issue in the ExtractPluginFromImage function where plugin binaries are extracted from container images by streaming decompressed tar data via io.Copy without a...

6.5CVSS5.2AI score0.00218EPSS
Exploits1References19
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/16 5:49 p.m.3 views

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in urllib3-1.26.20-py2.py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in urllib3-1.26.20-py2.py3-none-any.whl Vulnerability Details CVEID:CVE-2026-21441 DESCRIPTION: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by...

8.9CVSS5.8AI score0.02667EPSS
Exploits0Affected Software1
RedHat Linux
RedHat Linux
added 2026/03/26 8:28 p.m.55 views

Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS

Scrapy are vulnerable to a denial of service DoS attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occur...

7.5CVSS7.1AI score0.00509EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/03/17 12:0 a.m.7 views

EulerOS Virtualization 2.12.0 : brotli (EulerOS-SA-2026-1476)

According to the versions of the brotli package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : Scrapy versions up to 2.13.2 are vulnerable to a denial of service DoS attack due to a flaw in its brotli decompression...

7.5CVSS7.1AI score0.00509EPSS
Exploits0References2
Rows per page
Query Builder