golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip

A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A ...

Denial Of Service

React Server Components is vulnerable to Denial of Service. The vulnerability is due to specially crafted HTTP requests to Server Function endpoints, where the payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable...

undici: Undici: Denial of Service due to uncontrolled resource consumption

A flaw was found in Undici. When the interceptors.deduplicate feature is enabled, response data for deduplicated requests can accumulate in memory. A remote attacker, by sending large or chunked responses and concurrent identical requests from an untrusted endpoint, can exploit this uncontrolled...

brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion

A flaw was found in the brace-expansion component. This denial of service DoS vulnerability allows a remote attacker to provide specially crafted input containing repeated numeric brace ranges. This input causes the library to attempt an unbounded expansion, consuming excessive CPU and memory...

SIR-Bench: Evaluating Investigation Depth in Security Incident Response Agents

We present SIR-Bench, a benchmark of 794 test cases for evaluating autonomous security incident response agents that distinguishes genuine forensic investigation from alert parroting. Derived from 129 anonymized incident patterns with expert-validated ground truth, SIR-Bench measures not only...

CVE-2026-40393

In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca...

pypdf: Manipulated XMP metadata entity declarations can exhaust RAM

Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. Patches This has been fixed in pypdf==6.10.0. Workarounds If you cannot upgrade yet, consider applying the changes from PR 3724...

Step CA affected by an index out of bounds panic in TPM attestation EKU validation

Summary An attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension during TPM device attestation. Details When processing a device-attest-01 ACME challenge using TPM attestation, Step CA...

GHSA-9QQ8-CGCV-QMC9 Step CA affected by an index out of bounds panic in TPM attestation EKU validation

Summary An attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension during TPM device attestation. Details When processing a device-attest-01 ACME challenge using TPM attestation, Step CA...

EUVD-2026-21506

Step CA affected by an index out of bounds panic in TPM attestation EKU validation...

CVE-2026-33618

Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray method uses PHP's eval to parse platform settings from the database. An attacker with admin access obtainable via Advisory 1 can inject arbitrary PHP code into the settings,...

Improper Validation of Array Index

Overview Affected versions of this package are vulnerable to Improper Validation of Array Index of tcg-kp-AIKCertificate Extended Key Usage OID during TPM device attestation. An attacker can cause a panic and disrupt service availability by submitting a crafted attestation key certificate with an...

CVE-2026-40097

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension...

CVE-2026-35599

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an On loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far ...

CVE-2026-40097

CVE-2026-40097 affects Step CA (online CA for secure, automated certificate management). From version 0.24.0 up to before 0.30.0-rc3, an attacker can trigger an index-out-of-bounds panic during TPM device attestation by sending a crafted attestation key certificate with an empty EKU extension. Sp...

CVE-2026-40097

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension...

CVE-2026-40097 Step CA affected by an index out of bounds panic in TPM attestation EKU validation

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension...

CVE-2026-40074 SvelteKit's invalidated redirect in handle hook causes Denial-of-Service

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This...

CVE-2026-35599 Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an On loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far ...

CVE-2026-35599 Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an On loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far ...