548 matches found
CVE-2026-56814
Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part...
EUVD-2026-42873
Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part...
CVE-2026-56814
Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part...
crypto/x509: Incorrect enforcement of email constraints in crypto/x509
A certificate validation flaw has been discovered in the golang crypto/x509 module. When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly...
crypto/x509: Incorrect enforcement of email constraints in crypto/x509
A certificate validation flaw has been discovered in the golang crypto/x509 module. When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly...
CVE-2026-22331
Unauthenticated Local File Inclusion in AutoParts = 1.5.8 versions...
MGASA-2026-0216 Updated python-tornado packages fix security vulnerabilities
Tornado has a DoS due to too many multipart parts. CVE-2026-31958 In Tornado, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters. CVE-2026-35536...
EUVD-2026-36693
A vulnerability has been found in Yealink SIP-T46U 108.86.0.118. This affects the function modupgrade.SparePartsUpload of the file /api/upgrade/accupgradebychunk of the component Firmware Chunk Upload handler. Such manipulation of the argument uid leads to stack-based buffer overflow. The attack...
MINI-CR67-2PPM-VRF2
Bulletin has no description...
MINI-P7FC-796J-4H2C
Bulletin has no description...
UBUNTU-CVE-2026-44546
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...
SUSE CVE-2026-45157
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see...
CVE-2026-45157
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see...
CVE-2026-45157
CVE-2026-45157 affects Nextcloud Server: versions 32.0.0 up to but not including 32.0.9, and 33.0.0 up to but not including 33.0.3. A user with access to another user’s file share can use the share token to access the share’s chunking upload process and view temporary part files during ongoing up...
[SECURITY] Fedora 44 Update: libsoup3-3.6.6-8.fc44
Libsoup is an HTTP library implementation in C. It was originally part of a SOAP Simple Object Access Protocol implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications...
PT-2026-45473
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see...
cyanide
Cyanide By @zeroxjf — an iOS...
CVE-2026-44844
emlparser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.getrawbodytext recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who ca...
ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories
This week starts small. A token leaks. A bad package slips in. A login trick works. An old tool shows up again. At first, it feels like the usual mess. Then you see the pattern: attackers are not always breaking in. They are using the parts we already trust. That is what makes it worrying. The...
Astra Linux – Vulnerability in Jetty9
Jetty is a Java-based web server and servlet engine. In affected versions, servlets that support multipart requests e.g., annotated with @MultipartConfig and call HttpServletRequest.getParameter or HttpServletRequest.getParts may cause an OutOfMemoryError when the client sends a multipart request...