Lucene search
+L

9 matches found

Snyk
Snyk
added 2026/06/30 11:25 a.m.4 views

Inefficient Algorithmic Complexity

Overview org.webjars.npm:brace-expansion is a WebJar for brace-expansion. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the expand function. An attacker can cause excessive CPU consumption and block the event loop by supplying a specially crafted strin...

8.7CVSS6.3AI score0.00361EPSS
Exploits0References2
NVD
NVD
added 2026/06/30 9:16 a.m.11 views

CVE-2026-45822

decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode function splits input on '%' producing N tokens and calls decodeComponents, exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately...

8.7CVSS0.00304EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/30 8:30 a.m.39 views

CVE-2026-13149

brace-expansion through 5.0.6 is vulnerable to denial of service. The expand function exhibits exponential-time complexity in the number of consecutive non-expanding '' brace groups. An attacker who passes a crafted string to expand, directly or transitively, can cause significant CPU consumption...

8.7CVSS0.00361EPSS
Exploits0References2
CVE
CVE
added 2026/06/30 8:30 a.m.83 views

CVE-2026-13149

The CVE-2026-13149 entry concerns the library brace-expansion up to version 5.0.6. The vulnerability is in the expand() function, which exhibits exponential-time complexity proportional to the number of consecutive non-expanding '{}' brace groups. This allows an attacker to craft input that cause...

8.7CVSS5.7AI score0.00361EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/30 8:5 a.m.7 views

EUVD-2026-40267

decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode function splits input on '%' producing N tokens and calls decodeComponents, exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately...

8.7CVSS5.8AI score0.00304EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/27 6:8 p.m.15 views

LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex

Summary The built-in striphtml filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many |||/g, '' The regex contains four lazy patterns: 1. 2. 3. 4. For an input like 'script'.repeatN, the engine encounters N starting positions. At each one it mus...

7.5CVSS5.8AI score0.00385EPSS
Exploits0References5Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/01/04 12:0 a.m.5 views

TencentOS Server 4: python-tornado (TSSA-2025:0977)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0977 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

7.5CVSS7AI score0.00403EPSS
Exploits0References4
Snyk
Snyk
added 2024/11/22 3:50 a.m.5 views

Regular Expression Denial of Service (ReDoS)

Overview tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS due to inefficient cookie parsing that results in quadratic performance. An attacker...

7.5CVSS6.8AI score0.01051EPSS
Exploits0References2
OSV
OSV
added 2018/05/31 8:29 p.m.12 views

CVE-2014-10064

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example...

7.5CVSS7.4AI score
Exploits0References1
Rows per page
Query Builder