Lucene search
K

121687 matches found

EUVD
EUVD
added 2026/03/27 6:17 p.m.5 views

EUVD-2026-16744

Fleet's unbounded request body read allows remote Denial of Service...

8.7CVSS5.9AI score0.00434EPSS
Exploits0References1
Snyk
Snyk
added 2026/03/27 6:17 p.m.2 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of request body size limits in unauthenticated HTTP endpoints. An attacker can exhaust server memory and cause process restarts by sending large or repeated HTTP...

8.7CVSS5.9AI score0.00434EPSS
Exploits0References2
OSV
OSV
added 2026/03/27 6:17 p.m.2 views

GHSA-99HJ-44VG-HFCP Fleet's unbounded request body read allows remote Denial of Service

Summary Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service DoS...

8.7CVSS5.9AI score0.00434EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/27 6:17 p.m.2 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of request body size limits in unauthenticated HTTP endpoints. An attacker can exhaust server memory and cause process restarts by sending large or repeated HTTP...

8.7CVSS5.9AI score0.00434EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/27 6:0 p.m.20 views

pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration

Summary PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive...

9.3CVSS6.1AI score0.00397EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/27 6:0 p.m.2 views

GHSA-M74M-F7CR-432X pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration

Summary PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive...

9.3CVSS6.1AI score0.00397EPSS
Exploits1References4
EUVD
EUVD
added 2026/03/27 6:0 p.m.4 views

EUVD-2026-16886

pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration...

9.3CVSS5.8AI score0.00397EPSS
Exploits1References2
OSV
OSV
added 2026/03/27 5:45 p.m.2 views

BIT-NATS-2026-33246 NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NAT...

6.4CVSS5.9AI score0.00143EPSS
Exploits0References3
OSV
OSV
added 2026/03/27 5:45 p.m.8 views

BIT-NATS-2026-33223 NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was...

6.4CVSS5.9AI score0.00211EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/27 5:43 p.m.21 views

Moby has AuthZ plugin bypass when provided oversized request bodies

Summary A security vulnerability has been detected that allows attackers to bypass authorization plugins AuthZ under specific circumstances. The base likelihood of this being exploited is low. This is an incomplete fix for CVE-2024-41110. Impact If you don't use AuthZ plugins, you are not affecte...

8.8CVSS6.8AI score0.08123EPSS
Exploits1References7Affected Software3
Snyk
Snyk
added 2026/03/27 5:43 p.m.4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the request handling flow inside the Docker daemon. An attacker can bypass authorization checks by sending specially-crafted requests that cause the authorization plugin to receive the request without its body...

8.8CVSS5.9AI score0.08123EPSS
Exploits1References2
NVD
NVD
added 2026/03/27 5:16 p.m.5 views

CVE-2026-4964

A security vulnerability has been detected in letta-ai letta 0.16.4. This vulnerability affects the function convertmessagecreatetomessage of the file letta/helpers/messagehelper.py of the component File URL Handler. Such manipulation of the argument ImageContent leads to server-side request...

6.5CVSS0.00327EPSS
Exploits1References4
NVD
NVD
added 2026/03/27 5:16 p.m.5 views

CVE-2026-4960

A vulnerability was determined in Tenda AC6 15.03.05.16. Affected is the function fromWizardHandle of the file /goform/WizardHandle of the component POST Request Handler. Executing a manipulation of the argument WANT/WANS can lead to stack-based buffer overflow. The attack can be executed remotel...

9CVSS0.00773EPSS
Exploits1References5
NVD
NVD
added 2026/03/27 5:16 p.m.28 views

CVE-2026-28369

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform...

9.1CVSS0.00677EPSS
Exploits0References4
OSV
OSV
added 2026/03/27 5:16 p.m.3 views

DEBIAN-CVE-2026-28369

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform...

9.1CVSS5.5AI score0.00677EPSS
Exploits0References1
OSV
OSV
added 2026/03/27 5:16 p.m.3 views

DEBIAN-CVE-2026-28368

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks,...

9.1CVSS5.4AI score0.00704EPSS
Exploits0References1
OSV
OSV
added 2026/03/27 5:16 p.m.7 views

DEBIAN-CVE-2026-28367

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending \r\r\r as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer,...

9.1CVSS5.5AI score0.00706EPSS
Exploits0References1
NVD
NVD
added 2026/03/27 5:16 p.m.4 views

CVE-2026-28367

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending \r\r\r as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer,...

9.1CVSS0.00706EPSS
Exploits0References4
NVD
NVD
added 2026/03/27 5:16 p.m.4 views

CVE-2026-28368

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks,...

9.1CVSS0.00704EPSS
Exploits0References4
OSV
OSV
added 2026/03/27 5:16 p.m.5 views

UBUNTU-CVE-2026-28367

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending \r\r\r as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer,...

9.1CVSS5.7AI score0.00706EPSS
Exploits0References4
Rows per page
Query Builder