CVE-2026-54892

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decodeeach/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many...

EUVD-2026-38429

Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validatepasswordcompliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate...

CVE-2026-56225

Capgo before 12.128.2 has an authorization bypass in public API key management handlers (get/put/delete/post). Keys created with mode=all but limited_to_apps are not checked against limited_to_apps, only limited_to_orgs, allowing an app-scoped key to enumerate, update, and delete sibling API keys...

Limit Login Attempts - Stored Cross-Site Scripting

Limit Login Attempts WordPress plugin 4.0.72 contains a stored cross-site scripting caused by unsanitized and unescaped settings, letting malicious administrators inject Javascript code, exploit requires administrator privileges. id: CVE-2022-1029 info: name: Limit Login Attempts - Stored...

UBUNTU-CVE-2026-42127

The public dashboard query endpoint does not limit request body size b...

CVE-2026-56324

Capgo before 12.128.2 contains a rate limit bypass vulnerability in the channelself endpoint that allows attackers to circumvent rate limiting by rotating the user-controlled deviceid parameter. Attackers can send multiple requests per second by changing deviceid values to flood the channeldevice...

CVE-2026-48512

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack...

CVE-2026-56324

Capgo contains a rate limit bypass in the channel_self endpoint prior to version 12.128.2. The vulnerability lets an attacker rotate the user-controlled device_id parameter to bypass rate limiting, enabling multiple requests per second and flooding the channel_devices table, potentially causing d...

EUVD-2026-38374

Capgo before 12.128.2 contains a rate limit bypass vulnerability in the channelself endpoint that allows attackers to circumvent rate limiting by rotating the user-controlled deviceid parameter. Attackers can send multiple requests per second by changing deviceid values to flood the channeldevice...

CVE-2026-54288

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, the Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge the body is...

CVE-2026-54288 Hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, the Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge the body is...

CVE-2026-54288

The CVE-2026-54288 issue affects the Hono Web framework prior to version 4.12.25, where the Body Limit Middleware trusts the request Content-Length header. On AWS Lambda environments (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge), the body is fully buffered and the adapter builds the requ...

CVE-2026-54277 AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the maxlinesize check in parts of an HTTP request in the C parser. If using the optimised C parser the default in pre-built wheels, then an attacker may be able to send...

Limit Login Attempts WordPress - Stored Cross-site Scripting

Limit Login Attempts WordPress plugin 4.0.50 contains a stored cross-site scripting caused by not escaping IP addresses controlled via headers like X-Forwarded-For before outputting them in reports, letting unauthenticated attackers execute scripts in admin context. id: CVE-2021-24657 info: name:...

Ultimate Sitemap Parser (USP): Gzip Decompression Bomb Bypasses Sitemap Size Limit

Gzip Decompression Bomb Bypasses Sitemap Size Limit Summary ultimate-sitemap-parser enforces a 100 MiB size limit on sitemap responses, but applies it only to the compressed bytes received over the network. When a .gz sitemap is fetched, usp/helpers.py:239 calls gziplib.decompressdata with no...

GHSA-6WX8-W4F5-WWCR Concurrent Ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruption

Summary Concurrent::ReadWriteLockreleasewritelock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: pfifotailenqueue: Drop a new packet when sch-limit == 0. Expected behavior: If the scheduler’s limit is reached, pfifotailenqueue will drop a packet from the scheduler’s queue and decrease the scheduler’s qlen by one. Then,...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: ipmi: Revised the handling of user message limits. The limit on the number of user messages had several issues; improper counting occurred in some cases, and there were issues with operations after memory allocation. The process...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: Use a static NDP16 location within the URB. The original code allowed the start of NDP16 to be anywhere within the URB, based on the wNdpIndex value in NTH16. Only the start position of NDP16 was checked, which ma...

Astra Linux – Vulnerability in Linux, Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: spi: bcm2835: Fixed out-of-bounds access when there are more than 4 slaves. The commit 571e31fa60b3 “spi: bcm2835: Fixed cache the CS register value for -preparemessage” limited the number of slaves to 3 at compile-time. This...