GHSA-MP82-FMJ6-F22V pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)

Summary The setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSIONCOOKIESECURE on every request...

CVE-2025-67433

A heap buffer overflow in the processRequest function of Open TFTP Server MultiThreaded v1.7 allows attackers to cause a Denial of Service DoS via a crafted DATA packet...

EUVD-2025-6995

Malicious code in bioql PyPI...

GHSA-35P3-6J45-PRWM Aim Uncontrolled Resource Consumption vulnerability

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service DoS attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root cause is the lack of a limit on the number o...

GHSA-V5PJ-JRPV-H6G2 Aim vulnerable to Synchronous Access of Remote Resource without Timeout

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-threaded, can be made unresponsive by requesting it to connect to an unresponsive socket via sshfs. The lack of an additional timeout setting ...

CVE-2024-12778

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service DoS attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root cause is the lack of a limit on the number o...

CVE-2024-12777 Denial of Service in aimhubio/aim

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-threaded, can be made unresponsive by requesting it to connect to an unresponsive socket via sshfs. The lack of an additional timeout setting ...

CVE-2024-12778 Denial of Service in aimhubio/aim

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service DoS attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root cause is the lack of a limit on the number o...

K16914: OpenSSL vulnerability CVE-2015-1791

Security Advisory Description Race condition in the ssl3getnewsessionticket function in ssl/s3clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service double fre...

SUSE CVE-2012-0021

The logcookie function in modlogconfig.c in the modlogconfig module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %C format string, which allows remote attackers to cause a denial of service daemon crash via a cookie that lacks both a nam...

MySQL: Multiple vulnerabilities

Background MySQL is a popular multi-threaded, multi-user SQL server. Description Multiple vulnerabilities have been discovered in MySQL. Please review the CVE identifiers referenced below for details. Impact An attacker could possibly execute arbitrary code with the privileges of the process,...

npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser

websocket-extensions npm module prior to 0.1.4 allows Denial of Service DoS via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other...

CVE-2020-7663

A flaw was found in the websocket-extensions ruby module in versions prior to 0.1.5. The parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and another character. When abused by an...

GHSA-G78M-2CHM-R7QV Regular Expression Denial of Service in websocket-extensions (NPM package)

Impact The ReDoS flaw allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form: Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ... That is, a header containing an unclosed string...

CVE-2020-7662

websocket-extensions npm module prior to 0.1.4 allows Denial of Service DoS via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other...

Design/Logic Flaw

websocket-extensions ruby module prior to 0.1.5 allows Denial of Service DoS via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other...

CVE-2020-7663

websocket-extensions ruby module prior to 0.1.5 allows Denial of Service DoS via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other...

CVE-2020-7663

websocket-extensions ruby module prior to 0.1.5 allows Denial of Service DoS via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other...

CVE-2019-0217

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in modauthdigest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions...

DEBIAN-CVE-2019-0217

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in modauthdigest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions...