Lucene search
K

412 matches found

OSV
OSV
added 2026/04/16 11:38 p.m.3 views

BIT-DJANGO-2026-33034 Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...

7.5CVSS5.8AI score0.00769EPSS
Exploits0References4
Veracode
Veracode
added 2026/04/16 8:45 a.m.7 views

Memory Limit Bypass

LiquidJS is vulnerable to Memory Limit Bypass. The vulnerability is due to the replace filter incorrectly accounting for memory usage when the memoryLimit option is enabled, where an attacker who controls template content can bypass the memoryLimit DoS protection with approximately 2,500x...

5.3CVSS5.8AI score0.00495EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/09 5:30 p.m.4 views

USN-8154-2 python-django vulnerabilities

USN-8154-1 fixed vulnerabilities in Django. This update provides the corresponding updates for CVE-2026-33033 and CVE-2026-4292 in Ubuntu 14.04 LTS and Ubuntu 16.04 LTS, and CVE-2026-4277 in Ubuntu 16.04 LTS. Original advisory details: Seokchan Yoon discovered that Django incorrectly handled...

9.8CVSS5.8AI score0.00689EPSS
Exploits1References4
NVD
NVD
added 2026/04/08 7:25 p.m.5 views

CVE-2026-34166

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limite...

5.3CVSS0.00495EPSS
Exploits1References3
CVE
CVE
added 2026/04/08 5:52 p.m.16 views

CVE-2026-34166

LiquidJS (template engine) has a memoryLimit bypass in the replace filter: when memoryLimit is enabled, replacing a pattern can produce output size that grows quadratically with occurrences, bypassing the configured memory cap and risking out-of-memory DoS. Affected: prior to 10.25.3. Fix: upgrad...

5.3CVSS5.9AI score0.00495EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/08 5:52 p.m.5 views

CVE-2026-34166 LiquidJS has a Memory Limit Bypass via Quadratic Amplification in `replace` Filter

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limite...

3.7CVSS5.8AI score0.00495EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/08 5:52 p.m.18 views

CVE-2026-34166 LiquidJS has a Memory Limit Bypass via Quadratic Amplification in `replace` Filter

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limite...

3.7CVSS0.00495EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/04/08 4:53 p.m.3 views

CVE-2026-20884

A flaw was found in LibRaw. An integer overflow vulnerability in the deflatedngloadraw functionality allows a remote attacker to provide a specially crafted malicious file. This can lead to a heap buffer overflow, potentially resulting in arbitrary code execution. Mitigation This vulnerability ca...

9.8CVSS6.4AI score0.00454EPSS
Exploits1References5
Snyk
Snyk
added 2026/04/08 3:0 p.m.2 views

Allocation of Resources Without Limits or Throttling

Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the replace filter when the memoryLimit option is enabled. An attacker can...

6CVSS5.8AI score0.00495EPSS
Exploits1References2
EUVD
EUVD
added 2026/04/08 3:0 p.m.4 views

EUVD-2026-20554

LiquidJS Has Memory Limit Bypass via Quadratic Amplification in replace Filter...

3.7CVSS5.9AI score0.00495EPSS
Exploits1References3
OSV
OSV
added 2026/04/08 3:0 p.m.2 views

GHSA-MMG9-6M6J-JQQX LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter

Summary The replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.splitpattern.joinreplacement can be quadratically larger whe...

3.7CVSS5.9AI score0.00495EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/04/08 3:0 p.m.6 views

LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter

Summary The replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.splitpattern.joinreplacement can be quadratically larger whe...

5.3CVSS6AI score0.00495EPSS
Exploits1References5Affected Software1
EUVD
EUVD
added 2026/04/07 3:30 p.m.5 views

EUVD-2026-19648

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...

7.5CVSS5.9AI score0.00769EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/07 3:30 p.m.8 views

Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...

7.5CVSS5.9AI score0.00769EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/04/07 3:17 p.m.11 views

PYSEC-2026-49

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...

7.5CVSS5.8AI score0.00769EPSS
Exploits0References4
OSV
OSV
added 2026/04/07 3:17 p.m.3 views

DEBIAN-CVE-2026-33034

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...

7.5CVSS5.4AI score0.00769EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/04/07 2:22 p.m.8 views

CVE-2026-33034

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...

7.5CVSS5.8AI score0.00769EPSS
Exploits0
OSV
OSV
added 2026/04/07 2:0 p.m.2 views

UBUNTU-CVE-2026-33034

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...

7.5CVSS5.8AI score0.00769EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.5 views

PT-2026-30851

Name of the Vulnerable Software and Affected Versions Django versions 4.2 through 4.2.29, 5.2 through 5.2.12, and 6.0 through 6.0.3 Description ASGI requests lacking or underreporting the Content-Length header may bypass the DATA UPLOAD MAX MEMORY SIZE limit when processing HttpRequest.body,...

9.8CVSS5.8AI score0.00769EPSS
Exploits1References33
Tenable Nessus
Tenable Nessus
added 2026/04/07 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2026-33034

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could...

7.5CVSS5.8AI score0.00769EPSS
Exploits0References3
Rows per page
Query Builder