CTEK Chargeportal 安全漏洞

CTEK Chargeportal is an electric vehicle charging management platform developed by the Swedish company CTEK. CTEK Chargeportal has a security vulnerability, which stems from the lack of a limit on the number of authentication requests in the WebSocket application programming interface. This...

GO-2026-4695 Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload in github.com/forceu/gokapi

Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerabili...

CVE-2026-30961

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the chunked upload completion. An attacker can exhaust server storage and circumvent administrative resource policies by uploading files exceeding the configured per-request size...

PT-2026-25358

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.4 Description Gokapi is a self-hosted file sharing server. The chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public...

CVE-2024-1953

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request...

CVE-2022-39294

conduit-hyper integrates a conduit application with the hyper server. Prior to version 0.4.2, conduit-hyper did not check any limit on a request's length before calling hyper::body::tobytes. An attacker could send a malicious request with an abnormally large Content-Length, which could lead to a...

SUSE CVE-2024-46292

A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denial of Service DoS via a crafted input inserted into the name parameter. NOTE: this is disputed by the Supplier because it cannot be reproduced. Also, the product's documentation indicates that it is not guaranteed to be usab...

SUSE-SU-2023:4939-1 Security update for rabbitmq-server

This update for rabbitmq-server fixes the following issues: - CVE-2023-46118: Introduce HTTP request body limit for definition uploads bsc1216582...

Debian: Security Advisory (DLA-3687-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2023-3222

Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube, in its 1.2 version, which could allow a remote attacker to change an existing user´s password by adding a 6-digit numeric token. An attacker could create an automatic script to test all possible values...

Default credentials

Vulnerability in the password recovery mechanism of Password Recovery plugin for Roundcube, in its 1.2 version, which could allow a remote attacker to change an existing user´s password by adding a 6-digit numeric token. An attacker could create an automatic script to test all possible values...

CVE-2023-32320 Nextcloud Server's brute force protection allows someone to send more requests than intended

Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to...

CVE-2023-32320 Nextcloud Server's brute force protection allows someone to send more requests than intended

Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to...

CVE-2023-23616 Discourse membership requests lack character limit

Discourse is an open-source discussion platform. Prior to version 3.0.1 on the stable branch and 3.1.0.beta2 on the beta and tests-passed branches, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to...

Denial Of Service (DoS)

rdiffweb is vulnerable to denial of service. The vulnerability is due to the function checkratelimit in ratelimit.py missing a maximum number of requests per hour on sensitive endpoints allowing an attacker to cause an application crash via malicious input...

PT-2022-21101 · Axum-Core +1 · Axum-Core +1

Name of the Vulnerable Software and Affected Versions: axum versions ::from request function not setting a limit for the size of the request body by default. This allows a malicious peer to send a very large or infinite body, potentially causing the server to run out of memory and crash. The...

No rate limit via proxy url parameter

Description Hi Drawio Team , Your proxy server has no limit of requests which an attacker can use it as PORT SCANNER. https://app.diagrams.net/proxy?url=IP:PORT&base64=1 Proof of Concept Image from my OWASP ZAP : https://ibb.co/h87hz3N...

CLSA-2022-1648136371 Fix of CVE: CVE-2022-22721, CVE-2022-23943, CVE-2022-22719, CVE-2022-22720

CVE-2022-22719: modlua: error out if luareadbody or luawritebody fail - CVE-2022-22720: simpler connection close logic if discarding the request body fails - CVE-2022-22721: make sure and check that LimitXMLRequestBody fits in system memory - CVE-2022-23943: modsed: use sizet to allow for larger...

Stripo Inc: No rate limit in email subscription

I managed to bypass the following report 1029723 please follow the steps below: Description: No rate limit in Email Subscription, you just have to add a fixed throttle in Burp Suite to avoid the 429 response. Note: I will use tempmail in the screenshots PoC Steps: 1. Go to https://stripo.email/ a...