108 matches found
ruby: net-imap: Net::IMAP: Denial of Service via crafted IMAP responses
A flaw was found in Net::IMAP, a Ruby library implementing the Internet Message Access Protocol IMAP client functionality. A hostile server can exploit a quadratic time complexity issue in the Net::IMAP::ResponseReader when processing large responses containing numerous string literals. This can...
CVE-2026-53433
A flaw was found in fzf, a command-line fuzzy finder. This vulnerability allows a remote attacker to cause a Denial of Service DoS by sending a crafted POST request with many small segments to the --listen mode. The inefficient HTTP body processing, which uses repeated string concatenation, leads...
CVE-2026-13311 shell-quote parse() is quadratic in token count, enabling denial of service
shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...
CVE-2026-49851
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear approximately On² behavior in parselinktext. When parsing Markdown containing many consecutive characters, parselinktext repeatedly scans the input usin...
CVE-2026-49851 Mistune: Potential DoS via quadratic-time parsing in parse_link_text
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear approximately On² behavior in parselinktext. When parsing Markdown containing many consecutive characters, parselinktext repeatedly scans the input usin...
CVE-2026-49851
Mistune (Python Markdown parser) prior to 3.3.0 is vulnerable to CPU exhaustion DoS due to quadratic-time behavior in parse_link_text when parsing many consecutive '[' characters. The code repeatedly scans input with a regex inside a loop, yielding O(n^2) runtime on affected inputs and enabling a...
CVE-2026-54892 Plug: quadratic-time decoding of nested query/body parameters enables denial of service
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decodeeach/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many...
CVE-2026-53539 Python-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...
libexpat: denial of service via crafted XML input
A flaw was found in libexpat. When processing a specially crafted XML input containing a specific pattern of attributes, the parsing time increases quadratically due to checks for attribute name collisions. This consumes excessive CPU resources and eventually results in a denial of service...
python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service
Summary When parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the...
BIT-LIBPYTHON-2026-3276 Potential DoS via quadratic complexity in unicodedata.normalize()
unicodedata.normalize can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms...
CVE-2026-3276 Potential DoS via quadratic complexity in unicodedata.normalize()
unicodedata.normalize can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms...
DEBIAN-CVE-2026-42245
Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are...
CVE-2026-42245
Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are...
CVE-2026-42245
Net::IMAP (Ruby) is affected by a performance vulnerability in Net::IMAP::ResponseReader, where reading large responses with many string literals causes quadratic time complexity. This can be exploited by a hostile server to exhaust the client’s CPU, leading to a denial of service. The issue has ...
EUVD-2026-28923
Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are...
CVE-2026-42245 net-imap: Quadratic complexity when reading response literals
Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are...
PT-2026-36986
Name of the Vulnerable Software and Affected Versions Net::IMAP affected versions not specified Description Net::IMAP::ResponseReader exhibits quadratic time complexity when processing large responses containing numerous string literals. A hostile server can send specially crafted responses that...
Fedora 44 : python-tomli (2026-42d4c822e4)
The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-42d4c822e4 advisory. Update to 2.4.1. Limit number of parts of a TOML key to address quadratic time complexity Tenable has extracted the preceding description block directly from...
Exploit for CVE-2026-6042
CVE-2026-6042: Algorithmic Complexity DoS in musl libc iconv...