1740 matches found
CVE-2026-49855
Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks, allowing a malicious server accessed by SimpleAsyncHTTPClient or an...
CVE-2026-49855
Tornado (Python) prior to 6.5.6 allows a malicious server accessed via SimpleAsyncHTTPClient or an HTTPServer with decompress_request=True to accumulate decompressed data without an overall size limit, potentially causing memory exhaustion. Affected is gzip decompression routines that previously ...
CVE-2026-15747 Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle
Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle. csrftoken generates and caches one token per session and returns the same value on every call, and csrffield places that value in a hidden csrftoken input...
CVE-2026-15747
CVE-2026-15747 affects Mojolicious on Perl: versions 4.59 up to (but excluding) 9.48 expose a stable CSRF token representation to a BREACH compression oracle. _csrf_token caches a single per-session token and _csrf_field outputs it in a hidden input; when a response includes attacker-controlled i...
CVE-2026-59873
A flaw was found in node-tar, a tar archive manipulation library for Node.js. This vulnerability allows a remote attacker to craft a small gzip bomb, which, when processed, can lead to the exhaustion of disk space and CPU resources. This occurs because node-tar does not enforce strict limits on t...
Linux Distros Unpatched Vulnerability : CVE-2026-59873
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry count...
Linux Distros Unpatched Vulnerability : CVE-2026-59939
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with...
CVE-2026-44160 Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's inhttp and inforward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as bodysizelimit and...
CVE-2026-44160
Fluentd CVE-2026-44160 affects in_http and in_forward plugins prior to 1.19.3, where gzip-compressed payloads were restricted only by body_size_limit and chunk_size_limit. Crafted compressed data can decompress in memory to an excessive size, causing DoS via memory exhaustion. The issue is fixed ...
CVE-2026-44160 Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's inhttp and inforward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as bodysizelimit and...
CVE-2026-59939
httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small...
CVE-2026-59803
rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode protocol/message.go. When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in siz...
CVE-2026-59803 rpcx - Denial of Service via Gzip Decompression Bomb in Wire Protocol
rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode protocol/message.go. When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in siz...
EUVD-2026-42372
rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode protocol/message.go. When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in siz...
CVE-2026-59803 rpcx - Denial of Service via Gzip Decompression Bomb in Wire Protocol
rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode protocol/message.go. When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in siz...
CVE-2026-59939 httplib2: Decompression Bomb Denial of Service via Unbounded gzip/deflate Response Handling
httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small...
CVE-2026-59939
httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small...
CVE-2026-59939
The CVE-2026-59939 affects the Python httplib2 library prior to 0.32.0. The root cause is unbounded decompression of HTTP response bodies encoded with gzip or deflate in _decompressContent, allowing a malicious server to send a small compressed payload that expands to very large in-memory size, l...
CVE-2026-59873
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk spac...
CVE-2026-59873
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk spac...