Lucene search
K

7 matches found

NVD
NVD
added last week11 views

CVE-2026-59892

OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx- HTTP header values with decodeURIComponent without handling decode errors, allowing an unauthenticated remote attacker to send a malformed...

7.5CVSS0.00436EPSS
Exploits0References3
CVE
CVE
added last week10 views

CVE-2026-59892

Summary: OpenTelemetry JavaScript’s JaegerPropagator (via @opentelemetry/propagator-jaeger) decodes uber-trace-id and uberctx-* headers with decodeURIComponent() without handling decode errors prior to 2.9.0, enabling an unauthenticated attacker to send a malformed percent-encoded value that resu...

7.5CVSS6AI score0.00436EPSS
Exploits0References3
CVE
CVE
added 2026/06/22 4:52 p.m.47 views

CVE-2026-54285

Opentelemetry-js (OpenTelemetry JavaScript client) is affected by CVE-2026-54285 through the W3CBaggagePropagator.extract() path in @opentelemetry/core prior to 2.8.0, where inbound baggage headers were not capped and could trigger memory allocation proportional to header size. The issue is fixed...

5.3CVSS5.9AI score0.00238EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 2:49 p.m.49 views

CVE-2026-44902 opentelemetry-js: Prometheus exporter process crash via malformed HTTP request

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid...

7.5CVSS0.00455EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 2:49 p.m.12 views

CVE-2026-44902

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid...

7.5CVSS5.8AI score0.00455EPSS
Exploits0References2Affected Software4
OSV
OSV
added 2026/05/27 2:49 p.m.3 views

CVE-2026-44902 opentelemetry-js: Prometheus exporter process crash via malformed HTTP request

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid...

7.5CVSS5.9AI score0.00455EPSS
Exploits0References3
Circl
Circl
added 2026/05/06 3:40 p.m.8 views

CVE-2026-44902

creationtimestamp| type| source ---|---|--- 2026-05-06 15:40:57+00:00| published-proof-of-concept| https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3 2026-05-27 17:02:41+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mmtye5ufzl2t...

7.5CVSS5.7AI score0.00455EPSS
Exploits0References2
Rows per page
Query Builder