30 matches found
GHSA-FHV5-28VV-H8M8 PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)
!NOTE The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior rate limiting, transient errors which is beyond the attacker's control. Impact is reduced auth...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can exhaust system resources by sending specially crafted requests over the network, resulting in service unavailability for legitimate users. Remediation Upgrade...
UBUNTU-CVE-2026-48524
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...
CVE-2026-48524 PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of request body size limits in unauthenticated HTTP endpoints. An attacker can exhaust server memory and cause process restarts by sending large or repeated HTTP...
CVE-2026-31866
flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP /ofrep/v1/evaluate/... and gRPC evaluation.v1, evaluation.v2 endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context...
Astro 安全漏洞
Astro is a content-driven website framework developed by Astro OpenSource. Versions of Astro prior to 10.0.0 contained security vulnerabilities. These vulnerabilities stemmed from the Server Islands POST processor, which unlimitedly buffered and parsed the entire request body as JSON, potentially...
CVE-2026-30955 Gokapi vulnerable to DoS in E2E Metadata Parser
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is...
CVE-2026-30955 Gokapi vulnerable to DoS in E2E Metadata Parser
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is...
CVE-2026-30955
Gokapi (self-hosted file sharing server) is affected by CVE-2026-30955 due to an API endpoint that accepts unbounded request bodies, allowing an authenticated user to cause an out-of-memory (OOM) kill and complete service disruption for all users. The issue is fixed in version 2.2.4 . Impact: ava...
GHSA-QWC6-VC2V-2GGJ Gokapi vulnerable to DoS in E2E Metadata Parser
Summary An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. Impact Any authenticated user can crash the Gokapi server by sending concurrent large payloads...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the E2E Metadata Parser API endpoint, which processes unbounded request bodies without size restrictions. An authenticated user can cause the server to run out of memory and disru...
CVE-2026-31866 Allocation of Resources Without Limits or Throttling in flagd
flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP /ofrep/v1/evaluate/... and gRPC evaluation.v1, evaluation.v2 endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context...
CVE-2026-31866 Allocation of Resources Without Limits or Throttling in flagd
flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP /ofrep/v1/evaluate/... and gRPC evaluation.v1, evaluation.v2 endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context...
CVE-2026-31866
CVE-2026-31866 affects the flagd feature flag daemon (prior to v0.14.2). The vulnerability is that the evaluation endpoints (OFREP /ofrep/v1/evaluate/… and gRPC evaluation.v1/v2) accept request bodies with no size limit, reading the evaluation context into memory and enabling an attacker to send ...
CVE-2026-31866 Allocation of Resources Without Limits or Throttling in flagd
flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP /ofrep/v1/evaluate/... and gRPC evaluation.v1, evaluation.v2 endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context...
flagd Vulnerable to Allocation of Resources Without Limits or Throttling
Details flagd exposes OFREP /ofrep/v1/evaluate/... and gRPC evaluation.v1, evaluation.v2 endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context included in request payloads is read into memory without any size...
PT-2026-24688
Name of the Vulnerable Software and Affected Versions flagd versions prior to 0.14.2 Description flagd, a feature flag daemon, exposes OFREP '/ofrep/v1/evaluate/...' and gRPC evaluation.v1, evaluation.v2 endpoints for feature flag evaluation. These endpoints are designed for public access by clie...
TinyWeb 资源管理错误漏洞
TinyWeb is a simple and lightweight HTTP server developed by Konstantin Belyalov. Versions of TinyWeb prior to 2.02 contained a resource management vulnerability; this vulnerability stemmed from the lack of restrictions on the size of HTTP requests, which could lead to memory exhaustion and serve...
GHSA-7RQC-FF8M-7J23 Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
Summary A Denial of Service DoS vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint /signalk/v1/access/requests. This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. Details The...