Ubuntu 14.04 LTS / 16.04 LTS : Linux kernel vulnerabilities (USN-8143-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8143-1 advisory. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update...

CVE-2026-5312

A weakness has been identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this vulnerability is the...

GHSA-8VQR-QJWX-82MW Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads

Summary Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENTLENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size...

Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads

Summary Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENTLENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size...

CVE-2026-34735

The CVE concerns Hytale Modding Wiki (version 1.2.0 and prior). The issue resides in the quickUpload() endpoint: MIME-type validation via PHP finfo is performed, but the stored filename is constructed from the client-supplied extension (getClientOriginalExtension()). These independent checks allo...

CVE-2026-34829

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENTLENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfe...

DEBIAN-CVE-2026-34829

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENTLENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfe...

CVE-2026-33951

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT...

UBUNTU-CVE-2026-34829

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENTLENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfe...

PGBouncer: Connection Pooling for Managed PostgreSQL Databases

Learn how enabling PGBouncer reduces connection overhead, frees up server resources for query execution and disk caching, and improves performance at scale...

CVE-2026-34829 Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENTLENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfe...

CVE-2026-34829

Rack is vulnerable to a Denial of Service caused by unbounded multipart file uploads when a request uses multipart/form-data without a Content-Length header. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO if CONTENT_LENGTH exists; w...

CVE-2026-33951 signalk-server: Unauthenticated Source Priorities Manipulation

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT...

CVE-2026-33951

Signal K Server (boat hub) exposes an unauthenticated HTTP endpoint PUT /signalk/v1/api/sourcePriorities that directly assigns user input to the server configuration, enabling attackers to modify navigation data source priorities. The issue is triggered by missing authentication/authorization and...

CVE-2026-33951

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT...

fast-filesystem-mcp is vulnerable to command injection through handleGetDiskUsage function

A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been...

CVE-2026-5327 efforthye fast-filesystem-mcp index.ts handleGetDiskUsage command injection

A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been...

CVE-2026-5327

The CVE-2026-5327 vulnerability affects the project efforthye fast-filesystem-mcp up to version 3.5.1 , specifically the function handleGetDiskUsage in src/index.ts. The issue arises from a manipulation that enables remote command injection , with exploitation publicly released and a Proof-of-Con...

CVE-2026-32145 Multipart form body parser bypasses body size limits in wisp

Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing. The multipartbody function bypasses configured maxbodysize and maxfilessize limits. When a multipart boundary is not present in a chunk, the parser tak...

PT-2026-29870

The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. In version 1.2.0 and prior, the quickUpload endpoint validates uploaded files by checking their MIME type via PHP's finfo, which inspects file contents but constructs the stored filename using the...