PT-2026-49572

Name of the Vulnerable Software and Affected Versions Python-Multipart versions prior to 0.0.31 Description The parse form function fails to validate the Content-Length header before using it to limit the chunked read of the request body. Because the header value is parsed as an integer without a...

CVE-2026-42348

OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This coul...

CVE-2026-42348 OpAMP client reads unbounded HTTP response bodies

OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This coul...

CVE-2026-41284 Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade ...

CVE-2026-41284 Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade ...

CVE-2026-41484

OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to the configured back-end or collector results in an unsuccessful HTTP 4xx or 5xx response, the HttpJsonPostTransport class reads the...

CVE-2026-41173

OpenTelemetry.Sampler.AWS is affected by an unbounded HTTP response body read in the AWS X-Ray remote sampler prior to 0.1.0-alpha.8. The AWSXRaySamplerClient.DoRequestAsync call reads the entire HTTP response into memory (ReadAsStringAsync) without size limits, enabling an attacker controlling o...

CVE-2026-40924 Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via an unbounded read of the HTTP response body during notarization. An attacker can exhaust system memory and cause a crash by supplying a maliciously large HTTP response body if the...

EUVD-2026-11327

Quill has DoS via unbounded read of HTTP response body during notarization...

GO-2026-4593 Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS in github.com/traefik/traefik

Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS in github.com/traefik/traefik...

CVE-2026-26998

CVE-2026-26998 (Traefik) : Affects Traefik versions prior to 2.11.38 and 3.6.9 where ForwardAuth middleware reads the authentication server response body without a size limit. An unbounded/large response can cause unbounded memory growth, leading to an out-of-memory condition and denial of servic...

MiracleLinux 9 : pcs-0.11.9-2.el9_6.2.ML.1 (AXSA:2025-11083:07)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-11083:07 advisory. rubygem-rack: Rack QueryParser has an unsafe default allowing paramslimit bypass via semicolon- separated parameters CVE-2025-59830 rack: Rack's...

RHEL 9 : pcs (RHSA-2025:19512)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:19512 advisory. The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Security Fixes: rubygem-rack: Rack...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the http.client.HTTPResponse.read function when used without arguments. An attacker can exhaust system memory and potentially cause application or system instability by sending a...

Moderate: openssl security update

OpenSSL is a toolkit that implements the Secure Sockets Layer SSL and Transport Layer Security TLS protocols, as well as a full-strength general-purpose cryptography library. Security Fixes: openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap CVE-2025-9230 For more details about the securi...

rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion

A memory-exhaustion vulnerability exists in Rack when parsing application/x-www-form-urlencoded request bodies. Rack::RequestPOST reads the entire request body into memory without enforcing a maximum length or cap. Attackers can exploit this by sending large form submissions, potentially causing...

SUSE CVE-2025-30187

In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources...

CVE-2025-30187

DNSdist is vulnerable when configured to use the nghttp2 library to process DoH queries. The issue is an unbounded I/O read loop in the DoH path that can cause CPU resource exhaustion (DoS). Affected code appears post-1.9.0-alpha1; various advisories recommend upgrading DNSdist to fixed releases....

CVE-2025-30187 Denial of service via crafted DoH exchange in PowerDNS DNSdist

In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources...