Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable upload endpoint, single crafted POST with no auth or user interaction, impact limited to availability of the linx-server process.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
AnalysisAI
Denial of service in Andrei Marcu linx-server v2.3.8 allows remote unauthenticated attackers to crash or exhaust the file-upload service by sending a crafted POST request to the uploadPostHandler component. CVSS 3.1 rates availability impact High (7.5) with no confidentiality or integrity loss, and publicly available exploit code exists via a referenced GitHub gist, though there is no public exploit identified as actively exploited at time of analysis.
Technical ContextAI
linx-server is an open-source self-hosted file/URL/text sharing application written in Go by Andrei Marcu, originally developed to power the linx.li service. The vulnerable uploadPostHandler is the HTTP handler responsible for accepting multipart/form-data POST uploads. The root cause class is CWE-400 (Uncontrolled Resource Consumption), meaning the handler does not adequately bound the resources (memory, CPU, file descriptors, disk, or goroutines) consumed while parsing or persisting an incoming upload, so a maliciously shaped POST can drive the process into resource exhaustion. The CPE entry (cpe:2.3:a:n/a:n/a) was not populated by the reporter, but the description pins the affected build to linx-server v2.3.8.
RemediationAI
No vendor-released patch identified at time of analysis - neither the EUVD nor NVD references point to a fixed linx-server release, and the only references are the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-50879) and a POC gist (https://gist.github.com/pyuysig/807d92e6d8e7648d140d004f3b54b08b). Operators of linx-server v2.3.8 should monitor the upstream repository (github.com/andreimarcu/linx-server) for a release that hardens uploadPostHandler and upgrade as soon as it is published. In the interim, place linx-server behind a reverse proxy (nginx, Caddy, or Traefik) and enforce strict client_max_body_size / request body limits, per-IP connection and request-rate limits, and timeouts on slow POST bodies, accepting that legitimate large uploads will be rejected as a trade-off. Where public anonymous uploads are not required, restrict the upload endpoint to authenticated users or trusted source IPs via the proxy, and run the linx-server process with cgroup or systemd memory/CPU limits so a successful DoS attempt restarts the service rather than starving the host.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36777
GHSA-g743-m6x3-v6wm