GHSA-MGF9-4VPG-HJ56 tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate There has always been a limit for the total compressed size. This allows a malicious server to consume effectively unlimited amounts of...

Tornado has out-of-bounds memory access via C extension

Summary Tornado's optional native extension tornado.speedups implements websocketmask without validating that the mask argument is exactly four bytes long. The C function reads four bytes from mask unconditionally, even when Python passes a shorter byte string. This can read beyond the provided...

Fedora 42 : fetchmail (2025-ab3c40c1f4)

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-ab3c40c1f4 advisory. Update to fetchmail-6.5.6 CVE-2025-61962 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus h...

CVE-2025-11371

In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and...

WordPress Help Scout Plugin <= 6.5.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Abdi Pranata Patchstack Alliance in WordPress Plugin Help Scout versions = 6.5.6...

Elliptic 安全漏洞

Elliptic is a library of fast elliptic curve ciphers in javascript by the individual developer Fedor Indutny. A security vulnerability exists in Elliptic version 6.5.6, which stems from allowing the use of BER-encoded signatures, and therefore ECDSA signature malleability...

CVE-2024-30526

Cross-Site Request Forgery CSRF vulnerability in Easy Social Feed.This issue affects Easy Social Feed: from n/a through 6.5.6...

WordPress Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin <= 6.5.6 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Brandon Roldan Patchstack Alliance in WordPress Plugin Easy Social Feed versions = 6.5.6...

Guzzle 信息泄露漏洞

Guzzle is a PHP HTTP client from the individual developers of guzzlehttp that makes it easy to send HTTP requests and easily integrates with web services. An information disclosure vulnerability exists in Guzzle versions 6.5.6 and earlier, 7.0.0 through 7.4.3, which stems from a cookie request...