mail/mailpit -- memory-exhaustion DoS via unbounded JSON body

Mailpit author reports: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/id/release...

Parse Server: Pre-authentication denial of service via client version header regex backtracking

Impact An unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before...

PT-2026-42860

Name of the Vulnerable Software and Affected Versions Parse Server affected versions not specified Description An unauthenticated attacker with knowledge of a public Parse Application ID can cause a denial of service by submitting a single HTTP request to any '/parse/' endpoint. The attack involv...

FHIR Validator: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing

The /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, scheme, or domain validation. An unauthenticated attacker with network access to the validator can probe internal network services...

CVE-2026-25495

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteriaorderBy parameter JSON body. The application fails to sanitize this input before...

GHSA-P8HW-RFJG-689H Canonical LXD CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI

Description OIDC authentication uses cookies with the SameSite=Strict attribute, preventing cookies from being sent with requests from other sites. Therefore, CSRF does not occur as long as web services in a Same Site relationship same eTLD+1 with the origin running LXD-UI are trusted. However,...

CVE-2025-59364

The CVE concerns the express-xss-sanitizer package for Node.js, where the sanitize function in lib/sanitize.js can recurse without depth limit when handling JSON request bodies, potentially enabling denial of service through stack exhaustion. Affected versions include up to 2.0.0; advisories indi...

Server-side Request Forgery (SSRF)

Overview bentoml is a BentoML: Build Production-Grade AI Applications Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the MultipartSerde. ensurefile and JSONSerde.parserequest processes. An attacker can cause the server to make arbitrary HTTP requests to...

Malicious code in json_body_phaser (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 39f3d2ea88a504286f4974f0428b53a32fded6f82a80c4c5a6ba7820849befbb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Improper access control

An improper access control vulnerability exists in Uffizio's GPS Tracker all versions that lead to sensitive information disclosure of all the connected devices. By visiting the vulnerable host at port 9000, we see it responds with a JSON body that has all the details about the devices which have...

CVE-2020-17483

An improper access control vulnerability exists in Uffizio's GPS Tracker all versions that lead to sensitive information disclosure of all the connected devices. By visiting the vulnerable host at port 9000, we see it responds with a JSON body that has all the details about the devices which have...

Jedox 2022.4.2 - Remote Code Execution via Directory Traversal Vulnerability

Exploit Title: Jedox 2022.4.2 - Remote Code Execution via Directory Traversal Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL Vendor Homepage: https://jedox.com Version: Jedox 2022.4 22.4.2 and older CVE : CVE-2022-47875 Introduction ===============...

Ajenti 2.1.31 - Remote Code Exection Exploit

Exploit for jsp platform in category web applications Exploit Title: Ajenti 2.1.31 - Remote Code Exection Metasploit Exploit Author: Onur ER Vendor Homepage: http://ajenti.org/ Software Link: https://github.com/ajenti/ajenti Version: 2.1.31 Tested on: Ubuntu 19.10 This module requires Metasploit:...