386 matches found
BIT-PROMETHEUS-2026-42154 Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a sma...
netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression
A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...
github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint
A flaw was found in Prometheus. An unauthenticated attacker can exploit the remote read endpoint /api/v1/read by sending a specially crafted, small snappy-compressed payload. This payload causes a disproportionately large memory allocation, leading to memory exhaustion and a Denial of Service DoS...
netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression
A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...
github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint
A flaw was found in Prometheus. An unauthenticated attacker can exploit the remote read endpoint /api/v1/read by sending a specially crafted, small snappy-compressed payload. This payload causes a disproportionately large memory allocation, leading to memory exhaustion and a Denial of Service DoS...
GO-2026-5264 Prometheus: Remote read endpoint allows denial of service via crafted snappy payload in github.com/prometheus/prometheus
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload in github.com/prometheus/prometheus...
github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint
A flaw was found in Prometheus. An unauthenticated attacker can exploit the remote read endpoint /api/v1/read by sending a specially crafted, small snappy-compressed payload. This payload causes a disproportionately large memory allocation, leading to memory exhaustion and a Denial of Service DoS...
ROOT-APP-MAVEN-CVE-2024-36124 CVE-2024-36124 in io.root.org.iq80.snappy:snappy - Patched by Root
Root has patched CVE-2024-36124 in the io.root.org.iq80.snappy:snappy package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2023-34453 CVE-2023-34453 in io.root.org.xerial.snappy:snappy-java - Patched by Root
Root has patched CVE-2023-34453 in the io.root.org.xerial.snappy:snappy-java package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2023-34455 CVE-2023-34455 in io.root.org.xerial.snappy:snappy-java - Patched by Root
Root has patched CVE-2023-34455 in the io.root.org.xerial.snappy:snappy-java package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2023-34454 CVE-2023-34454 in io.root.org.xerial.snappy:snappy-java - Patched by Root
Root has patched CVE-2023-34454 in the io.root.org.xerial.snappy:snappy-java package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2023-43642 CVE-2023-43642 in io.root.org.xerial.snappy:snappy-java - Patched by Root
Root has patched CVE-2023-43642 in the io.root.org.xerial.snappy:snappy-java package for Root:Maven. Multiple fixed versions available...
github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint
A flaw was found in Prometheus. An unauthenticated attacker can exploit the remote read endpoint /api/v1/read by sending a specially crafted, small snappy-compressed payload. This payload causes a disproportionately large memory allocation, leading to memory exhaustion and a Denial of Service DoS...
CVE-2026-46683
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0...
CVE-2026-46683 Snappy: SSRF and local file read via the xsl-style-sheet option
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0...
CVE-2026-46683 Snappy: SSRF and local file read via the xsl-style-sheet option
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0...
CVE-2026-46683 Snappy: SSRF and local file read via the xsl-style-sheet option
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0...
CVE-2026-46643 Snappy: Binary path is never shell-escaped due to an inverted is_executable check
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg‘/usr/bin/wkhtmltopdf’ returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. isexecutable then looks for a file...
CVE-2026-46643
CVE-2026-46643 affects KnLplabs Snappy (knplabs/knp-snappy) on POSIX, where escapeshellarg('/usr/bin/wkhtmltopdf') may still leave $command unescaped due to a faulty is_executable check. This allows command execution when the binary path is influenced by user input or environment data, as the saf...
EUVD-2026-36111
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg‘/usr/bin/wkhtmltopdf’ returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. isexecutable then looks for a file...