70 matches found
CLSA-2026-1772620440 skopeo: Fix of 3 CVEs
rebuild with newer golang version 1.25.7-1.el96.tuxcare.els1 to fix the following CVEs - CVE-2025-68121: fix TLS session resumption bypass by preventing shared auto-rotated ticket keys in Config and validating full certificate chain expiry - CVE-2025-61726: limit parsed URL query parameters to...
Astra Linux – Vulnerability in Ruby-Rack
Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforced its paramslimit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters...
CLSA-2026-1772456640 podman: Fix of 4 CVEs
rebuild with newer golang version 1.22.9-1.el92.tuxcare.els6 to fix the following CVE's - CVE-2025-68121: fix TLS session resumption bypass by preventing shared auto-rotated ticket keys in Config and validating full certificate chain expiry - CVE-2025-61726: limit parsed URL query parameters to...
CVE-2026-25882
Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route...
PT-2026-21801
Name of the Vulnerable Software and Affected Versions Fiber versions prior to 2.52.12 Fiber versions prior to 3.0.1 Description Fiber is an Express inspired web framework written in Go. A denial of service issue exists in Fiber that allows remote attackers to crash the application by sending...
Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: pcs (UTSA-2026-005328)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005328 advisory. Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its paramslimit only for parameters separated by &, while still...
Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: pcs (UTSA-2026-005323)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005323 advisory. Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, Rack::QueryParser parses query strings and application/x-www-form-urlencod...
AZL-75734 CVE-2025-61726 affecting package golang for versions less than 1.25.6-1
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containi...
AZL-75642 CVE-2025-61726 affecting package msft-golang for versions less than 1.24.12-1
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containi...
CVE-2025-61726
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containi...
CVE-2025-61726 Memory exhaustion in query parameter parsing in net/url
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containi...
EUVD-2025-206445
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containi...
GHSA-2497-GP99-2M74 Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered
Summary Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records Details After wings sends activity logs to the panel it deletes the processed activity entries from t...
Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered
Summary Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records Details After wings sends activity logs to the panel it deletes the processed activity entries from t...
GHSA-6RW7-VPXM-498P qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
Summary The arrayLimit option in qs did not enforce limits for bracket notation a=1&a=2, only for indexed notation a0=1. This is a consistency bug; arrayLimit should apply uniformly across all array notations. Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario...
AZL-73316 CVE-2025-15284 affecting package js-jquery 3.5.0-4
Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation a=1&a=2, only for indexed notation a0=1. This is a consistency bug; arrayLimit should apply uniformly across a...
AZL-73359 CVE-2025-15284 affecting package nodejs-nodemon 2.0.3-4
Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation a=1&a=2, only for indexed notation a0=1. This is a consistency bug; arrayLimit should apply uniformly across a...
AZL-73353 CVE-2025-15284 affecting package js-jquery 3.5.0-4
Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation a=1&a=2, only for indexed notation a0=1. This is a consistency bug; arrayLimit should apply uniformly across a...
UBUNTU-CVE-2025-15284
Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation a=1&a=2, only for indexed notation a0=1. This is a consistency bug; arrayLimit should apply uniformly across a...
CVE-2025-15284
Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation a=1=2, only for indexed notation a0=1. This is a consistency bug; arrayLimit should apply uniformly across all...