Lucene search
K

8 matches found

Github Security Blog
Github Security Blog
added 2026/07/06 9:6 p.m.9 views

Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service

Summary POST /api/v2/files converts zip uploads to tar in memory via CreateTarFromZip, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer. Note: Exploitation requires authenticated file-upload access and the impact i...

6.5CVSS6AI score0.00602EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/25 5:32 p.m.6 views

CVE-2026-54278

A flaw was found in aiohttp, an asynchronous HTTP client/server framework. An attacker could send a specially crafted compressed request body that, during cleanup, would be decompressed into memory in one large chunk. This could potentially lead to a Denial of Service DoS condition, where the...

8.7CVSS5.9AI score0.00279EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/06/22 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-54278

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to ...

8.7CVSS5.9AI score0.00279EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/15 8:9 p.m.18 views

aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS a zip bomb edge case. Workaround...

8.7CVSS5.2AI score0.00279EPSS
Exploits0References2Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/05/16 12:0 a.m.11 views

SUSE SLES15 Security Update : python39 (SUSE-SU-2026:1818-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1818-1 advisory. Security issues fixed: - CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF bsc1261969. - CVE-2026-3446: base6...

9.1CVSS6.8AI score0.00579EPSS
Exploits1References20
CNNVD
CNNVD
added 2026/02/24 12:0 a.m.15 views

Nats-Server 安全漏洞

Nats-Server is a high-performance server developed by Nats Open Source, used for native message delivery systems on Nats.io, cloud, and edge environments. There were security vulnerabilities in versions of NATS-Server prior to 2.11.2 and 2.12.3. These vulnerabilities stemmed from WebSockets’...

7.5CVSS5.8AI score0.00478EPSS
Exploits0References4
Huntr
Huntr
added 2025/11/11 9:51 a.m.10 views

Unlimited-memory decompression leads to DoS bypassing `--http-max-input-size`

This report is not public...

5.4AI score
Exploits0
OSV
OSV
added 2025/09/07 4:15 p.m.2 views

DEBIAN-CVE-2025-39731

In the Linux kernel, the following vulnerability has been resolved: f2fs: vmunmapram may be called from an invalid context When testing F2FS with xfstests using UFS backed virtual disks the kernel complains sometimes that f2fsreleasedecompmem calls vmunmapram from an invalid context. Example trac...

5.5CVSS5.3AI score0.00137EPSS
Exploits0References1
Rows per page
Query Builder