Lucene search
+L

539 matches found

RedhatCVE
RedhatCVE
added yesterday9 views

CVE-2026-33382

A flaw in Grafana's API endpoints allows remote attackers to send excessively large request bodies without authentication. This exhausts server memory, resulting in a complete denial of service DoS. Mitigation Deploy a reverse proxy or API gateway e.g., Nginx in front of Grafana configured to...

7.5CVSS6.1AI score0.0038EPSS
Exploits0References4
CVE
CVE
added 3 days ago9 views

CVE-2024-7708

CVE-2024-7708 describes a buffer leak occurring when reading the body of HTTP requests; this can happen for requests with a body, especially under slow network conditions (notably 100-Continue). The published metrics show a CVSS v3.1 base score of 7.5 (HIGH) with Network attack vector, no privile...

7.5CVSS6.1AI score0.00252EPSS
Exploits0References1Affected Software1
AlpineLinux
AlpineLinux
added last week6 views

CVE-2026-33382

Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service...

7.5CVSS6.1AI score0.0038EPSS
Exploits0
OSV
OSV
added last week4 views

CVE-2026-33382 Denial of service via unbounded request body size

Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service...

7.5CVSS6.1AI score0.0038EPSS
Exploits0References3
CVE
CVE
added last week10 views

CVE-2026-33382

CVE-2026-33382 affects Grafana API endpoints that may process unbounded request bodies, including unauthenticated ones. The underlying issue is lack of input size limits, allowing very large payloads to trigger excessive memory allocation and potential denial of service. The CVSS v3.1 base score ...

7.5CVSS6.1AI score0.0038EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/07/07 8:14 p.m.7 views

CVE-2026-55434 Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.33.0 and prior to versions 2.33.8 and 2.34.2, AI Bridge provider handlers read request bodies with io.ReadAll without a maximum size so an authenticated user with AI Bridge access could se...

6.5CVSS6AI score0.00552EPSS
Exploits0References6
OSV
OSV
added 2026/07/07 4:41 p.m.7 views

GO-2026-5921 Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder

Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints in github.com/coder/coder...

6.5CVSS5.9AI score0.00552EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/07/07 1:1 p.m.6 views

New API is vulnerable to CSRF through user email binding

Summary The email and WeChat account binding endpoints used GET requests for state-changing account operations. In deployments where session cookies could be sent on cross-site navigations, an attacker could trigger a logged-in user's browser to bind an attacker-controlled email address or OAuth...

5.3CVSS5.9AI score0.00187EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.8 views

PT-2026-56214

Name of the Vulnerable Software and Affected Versions New API versions prior to 0.12.0-alpha.1 Description The email and WeChat account binding endpoints use GET requests for state-changing account operations. In deployments where session cookies are sent on cross-site navigations, an attacker ca...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/07/06 9:10 p.m.8 views

Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints

Summary AI Bridge provider handlers read request bodies with io.ReadAll without a maximum size so an authenticated user with AI Bridge access could send an arbitrarily large body and exhaust memory. Note: Exploitation requires authenticated access to the AI Bridge endpoints and the impact is...

6.5CVSS6AI score0.00552EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.11 views

PT-2026-56078

Name of the Vulnerable Software and Affected Versions Coder versions 2.33.0 through 2.33.7 Coder versions 2.34.0 through 2.34.1 Description AI Bridge provider handlers read request bodies using io.ReadAll without enforcing a maximum size. An authenticated user with AI Bridge access can send an...

6.5CVSS6AI score0.00552EPSS
Exploits0References11
ATTACKERKB
ATTACKERKB
added 2026/06/30 3:57 p.m.7 views

CVE-2026-58372

SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the...

8.1CVSS5.9AI score0.00766EPSS
Exploits0References7
OSV
OSV
added 2026/06/30 3:57 p.m.4 views

CVE-2026-58372 SeaweedFS < 4.34 - Cross-Bucket Object Deletion via DeleteObjects Request-Body Keys

SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the...

7.2CVSS6AI score0.00766EPSS
Exploits1References9
Vulnrichment
Vulnrichment
added 2026/06/30 3:57 p.m.8 views

CVE-2026-58372 SeaweedFS < 4.34 - Cross-Bucket Object Deletion via DeleteObjects Request-Body Keys

SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the...

8.1CVSS5.9AI score0.00766EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.12 views

PT-2026-53930

Name of the Vulnerable Software and Affected Versions SeaweedFS versions prior to 4.34 Description A path traversal issue exists in the S3 gateway DeleteMultipleObjectsHandler. Authenticated S3 principals with write access to one bucket can delete arbitrary objects in buckets belonging to other...

8.1CVSS6AI score0.00766EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/06/29 9:0 a.m.8 views

CVE-2026-55603

A flaw was found in http-proxy-middleware. A remote attacker could exploit a vulnerability in the fixRequestBody function, which is used to re-emit a request body. By injecting carriage return and line feed characters \r\n into a request body key or value, an attacker can bypass security policies...

7.5CVSS5.8AI score0.00243EPSS
Exploits1References4
OSV
OSV
added 2026/06/25 10:34 p.m.4 views

GO-2026-5641 CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests in github.com/crowdsecurity/crowdsec

CrowdSec AppSec silently drops request body for chunked / HTTP-2 requests in github.com/crowdsecurity/crowdsec...

7.2CVSS5.8AI score0.00038EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/25 5:32 p.m.7 views

CVE-2026-54278

A flaw was found in aiohttp, an asynchronous HTTP client/server framework. An attacker could send a specially crafted compressed request body that, during cleanup, would be decompressed into memory in one large chunk. This could potentially lead to a Denial of Service DoS condition, where the...

8.7CVSS5.9AI score0.00279EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/25 5:28 p.m.9 views

EUVD-2026-37006

i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names...

9.1CVSS5.8AI score0.00419EPSS
Exploits0References3
NVD
NVD
added 2026/06/23 9:16 p.m.9 views

CVE-2026-11820

A flaw was found in the community.general Ansible collection's nexmo module. The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding API credentials apikey and apisecret into URL query parameters and sending them via GET requests. This causes credentials to be exposed in web...

6.5CVSS0.00287EPSS
Exploits0References2
Rows per page
Query Builder