CVE-2026-44488

Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolve...

Elastic Kibana 安全漏洞

Elastic Kibana is a data visualization dashboard software provided by the Elastic company. There is a security vulnerability in Elastic Kibana, which stems from uncontrolled resource consumption and may lead to denial-of-service attacks. Users with viewer-level access and authenticated status can...

CVE-2026-5308

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646...

CVE-2026-5308

CVE-2026-5308 affects Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, and 10.11.x

EUVD-2026-31425

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646...

CVE-2026-2325 Improper Input Validation in MS Teams Meetings API Handler

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to...

CVE-2026-2325

CVE-2026-2325 affects Mattermost versions 11.5.x up to 11.5.1, 10.11.x up to 10.11.13, and 11.4.x up to 11.4.3. The issue is an improper input validation where the start meeting API endpoint (/api/v1/meetings) does not limit the request body size, enabling an authenticated attacker to cause resou...

CVE-2026-44456

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit does not reliably enforce maxSize for requests without a usable Content-Length e.g. Transfer-Encoding: chunked. Oversized requests can reach handlers and return 200 instead of 413. Th...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the requestToMsgGet process. An attacker can exhaust CPU and memory resources by sending oversized DNS-over-HTTPS GET requests with large dns query parameters, causing the...

Allocation of Resources Without Limits or Throttling

Overview @next-ai-drawio/mcp-server is a MCP server for Next AI Draw.io - AI-powered diagram generation with real-time browser preview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the handleStateApi, handleRestoreApi, and...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007238)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007238 advisory. In the Linux kernel, the following vulnerability has been resolved: netfilter: nftlimit: reject configurations that cause integer overflow Reject bogus configs where...

PT-2026-33217

Summary The public Stripe webhook endpoint fully reads the request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST bodies and cause substantial memory growth, leading to denial of service. Details When Stripe webhooks are enabled,...

Fleet Denial of Service Vulnerability (CNVD-2026-16892)

Fleet is Fleet Device Management open source a device management platform that supports a wide range of operating systems and devices to help IT and security teams with device management, vulnerability reporting, MDM and more. A denial of service vulnerability exists in Fleet versions prior to...

CVE-2026-33459 Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent...

GHSA-X744-4WPC-V9H2 Moby has AuthZ plugin bypass when provided oversized request bodies

Summary A security vulnerability has been detected that allows attackers to bypass authorization plugins AuthZ under specific circumstances. The base likelihood of this being exploited is low. This is an incomplete fix for CVE-2024-41110. Impact If you don't use AuthZ plugins, you are not affecte...

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the webhook process. An attacker can cause excessive resource consumption by sending unauthenticated, oversized request bodies...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS due to insufficient validation of incoming request size in the webhook endpoint. An attacker can disrupt service availability by sending oversized requests to the endpoint. Details Denial of Service DoS describes a...

CVE-2026-32011

CVE-2026-32011 for OpenClaw describes a denial-of-service in webhook handlers used by BlueBubbles and Google Chat. The root cause is that request bodies are parsed before authentication and signature validation, allowing unauthenticated, remote attackers to exhaust parser resources by sending slo...

EUVD-2026-13273

OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request...

GHSA-RMRF-G9R3-73PM flagd Vulnerable to Allocation of Resources Without Limits or Throttling

Details flagd exposes OFREP /ofrep/v1/evaluate/... and gRPC evaluation.v1, evaluation.v2 endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context included in request payloads is read into memory without any size...