CVE-2026-42185

People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user including users with no current domain access to the...

PT-2026-37106

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.31.0 Description Gotenberg fails to properly validate metadata tags passed to ExifTool, a tool used for reading and writing image, audio, and video metadata. While the software blocks specific tags like FileName a...

GHSA-6Q22-G298-GRJH Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver

Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...

PT-2026-30331

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.17.0 Description Directus GraphQL endpoints '/graphql' and '/graphql/system' did not prevent repeated execution of expensive relational queries through GraphQL aliasing. An authenticated user could exploit this to...

CVE-2026-33939

Summary: CVE-2026-33939 affects Handlebars 4.0.0–4.7.8, where a template using decorator syntax referencing an unregistered decorator (e.g. {{*n}}) causes the runtime to call an undefined value as a function, leading to an unhandled TypeError and a potential single-request DoS. The issue is fixed...

The CISO’s Dilemma: How To Scale AI Securely

Your board wants AI. Your developers are building with it. Your budget committee is asking for an ROI timeline. But as CISO, you're the one who has to answer when the inevitable question comes up: "How do we know this is secure?" If you're like most security leaders, you're caught between two...

CVE-2026-26235

JUNG Smart Visu Server 1.1.1050 contains a denial of service vulnerability that allows unauthenticated attackers to remotely shutdown or reboot the server. Attackers can send a single POST request to trigger the server reboot without requiring any authentication...

CVE-2026-26235

The CVE-2026-26235 entry concerns JUNG Smart Visu Server 1.1.1050. The vulnerability is a denial-of-service that allows unauthenticated attackers to remotely shut down or reboot the server by sending a single POST request, with no authentication required. This affects availability (high impact pe...

Ajv JSON schema validator 安全漏洞

Ajv JSON schema validator is an open-source JSON format verifier developed by Ajv. Versions of Ajv JSON schema validator prior to 8.17.1 contained a security vulnerability. This vulnerability arises from the possibility of a denial-of-service attack due to the use of the $data option, which may...

CVE-2025-14822

Mattermost versions 10.11.x = 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens...

CVE-2025-14822

Mattermost versions 10.11.x = 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens...

CVE-2025-14822

Mattermost versions 10.11.x = 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens...

Mattermost security vulnerabilities

Mattermost is an open-source collaboration platform developed by the American company Mattermost. Versions of Mattermost 10.11.8 and earlier, including 10.11.x, have a security vulnerability. This vulnerability stems from the lack of input validation before processing topic tags, which may allow...

Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components

CVE-2025-55182 also referred to as React2Shell and includes CVE-2025-66478, which was merged into it is a critical pre-authentication remote code execution RCE vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, this vulnerability could all...

AZL-66932 CVE-2025-39726 affecting package kernel for versions less than 6.6.104.2-1

In the Linux kernel, the following vulnerability has been resolved: s390/ism: fix concurrency management in ismcmd The s390x ISM device data sheet clearly states that only one request-response sequence is allowable per ISM function at any point in time. Unfortunately as of today the s390/ism driv...

vllm API endpoints vulnerable to Denial of Service Attacks

Summary A Denial of Service DoS vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP endpoint. This results in server memory exhaustion, potentially leading to a crash or unresponsiveness. The attack does not require authentication, making ...

CS Money: Application DOS via specially crafted payload on 3d.cs.money

Summary: Hello Team, While testing it was observed that on 3d.cs.money a DOS is possible via specially crafted request using only single request from single machine on search bar. Though I am aware of the Out of Scope policy "Any activity that could lead to the disruption of our service DoS", thi...

An unauthenticated attacker can generate a sizeable CPU load on a Confluence server with a single request.

h3. Issue Summary Confluence has an API endpoint, which combines multiple js resources in a single response:...

Keybase: Remote Server Restart Lead to Denial of Server by only one Request.

URL === https://keybase.io//api/1.0/merkle/block.json?hash=68b5d3599be9acbe97bcc45603a322f85f8a99b9cbc696592fe1088c3a099a45d929f0bc2fae2230f0b31b5e4b4122365f50b34fcf91a94a357df90a83e3b013 Poc: ==== https://keybase.io//api/1.0/merkle/block.json?hash=1 see video...

openstack-keystone: denial of service via V3 API authentication chaining

A flaw was found in the keystone V3 API. An attacker could send a single request with the same authentication method multiple times, possibly leading to a denial of service due to generating excessive load with minimal requests. Only keystone setups with the V3 API enabled were affected by this...