13 matches found
GHSA-82W8-QH3P-5JFQ Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS
Summary request.form accepts maxfields and maxpartsize to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an...
Amazon Linux 2 : docker, --advisory ALAS2NITRO-ENCLAVES-2026-108 (ALASNITRO-ENCLAVES-2026-108)
The version of docker installed on the remote host is prior to 25.0.16-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2026-108 advisory. The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with ...
CVE-2026-39829
A flaw was found in golang.org/x/crypto/ssh. The RSA and DSA public key parsers in the affected component did not enforce size limits on key parameters. This vulnerability allows an unauthenticated client to provide a crafted public key with an excessively large modulus or DSA parameter during...
golang: net/url: Memory exhaustion in query parameter parsing in net/url
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...
Duplicate Advisory: Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8mp2-v27r-99xp. This link is maintained to preserve external references. Original Description Summary Denial-of-Service DoS vulnerability in the Mistune Markdown parser. The issue occurs when processing speciall...
CVE-2026-32145
Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing. The multipartbody function bypasses configured maxbodysize and maxfilessize limits. When a multipart boundary is not present in a chunk, the parser tak...
golang: net/url: Memory exhaustion in query parameter parsing in net/url
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...
Security update for go1.25-openssl
This update for go1.25-openssl fixes the following issues: Update to version 1.25.6 released 2026-01-15 jscSLE-18320, bsc1244485: Security fixes: CVE-2025-4674 cmd/go: disable support for multiple vcs in one module bsc1246118. CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of "", "." a...
OESA-2025-2783 golang security update
. Security Fixes: The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses...
Important: runc
Issue Overview: Placeholder CVE. Details forthcoming CVE-2025-31133 net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to b...
jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck loop indefinitely until...
jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck loop indefinitely until...
CVE-2021-37714
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck loop indefinitely until...