Monthly
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.
Denial of service in Vanetza (riebl) versions 26.02 and earlier lets remote unauthenticated attackers crash the V2X message-processing daemon by sending a crafted Secured Message whose signing certificate carries an out-of-range or invalid-CHOICE Psid value. The malformed certificate passes the permissive ASN.1 decode step but trips a semantic constraint check during OER re-encoding inside the signature-verification path, raising an exception that is never caught and forcing std::terminate. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the network-reachable, no-authentication, low-complexity profile (CVSS 7.5) makes it a credible availability risk for any node that verifies untrusted V2X traffic.
Remote denial of service in Vanetza 26.02 and earlier lets unauthenticated attackers crash the C-ITS protocol stack by sending malformed network packets containing corrupted ASN.1/OER structures, such as invalid length fields or malformed certificate encodings. The ASN.1 wrapper (asn1c_wrapper.cpp) raises a std::runtime_error that is never caught at the parsing boundary, so it propagates to std::terminate and kills the process. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided.
Remote unauthenticated denial-of-service in the Nimiq core-rs-albatross client (nimiq-primitives crate prior to 1.5.0) lets any state-sync peer crash a syncing node by sending a ResponseChunk whose first TrieItem.key is the empty ROOT key, triggering a panic in MerkleRadixTrie::put_chunk → put_raw. No public exploit identified at time of analysis, but the issue is trivially triggerable with a single malformed chunk and affects all nodes performing initial sync or recovery against untrusted peers. EPSS data was not provided; CVSS A:H impact and zero attacker prerequisites make this a high-priority availability bug for Nimiq node operators.
Log-volume denial of service in NiceGUI's dynamic static-asset routes allows remote unauthenticated attackers to flood server logs and exhaust disk or log-pipeline capacity. The two affected routes - the per-component resource route (introduced in v1.4.6) and the ESM module route (introduced in v3.0.0) - fail to distinguish directories from files before passing user-controlled paths to Starlette's FileResponse, triggering an unhandled RuntimeError that Uvicorn logs as a full multi-frame traceback (~100 lines per request). Versions up to and including 3.11.1 are affected; the fix is available in 3.12.0. No public exploit or CISA KEV listing has been identified at time of analysis. IMPORTANT: The provided tags (RCE, Path Traversal, Information Disclosure) are directly contradicted by the advisory, which explicitly states there is no remote code execution, no path traversal, and no data exposure - these tags should be treated as erroneous metadata.
Denial of service in multiparty (Node.js multipart/form-data parser) versions ≤4.2.3 crashes Node.js processes when attackers send crafted form uploads with field names matching JavaScript Object prototype properties (__proto__, constructor, toString). CVSS 7.5 (High) with network vector and no authentication required. No public exploit code identified at time of analysis, but exploitation is trivial given the straightforward prototype pollution attack pattern. Services accepting file uploads via multiparty are immediately affected until upgraded to 4.3.0+.
Denial of service in Zebra's JSON-RPC HTTP middleware allows authenticated RPC clients to crash a Zebra node by disconnecting mid-request, exploiting improper error handling that treats incomplete HTTP body reads as unrecoverable failures instead of returning error responses. Affects zebrad versions 2.2.0 through 4.3.0 and zebra-rpc versions 1.0.0-beta.45 through 6.0.1. No public exploit code or active exploitation confirmed; patch available in zebrad 4.3.1 and zebra-rpc 6.0.2.
Remote unauthenticated attackers can crash Node.js processes running vm2 <= 3.10.5 by triggering an unhandled Promise rejection that terminates the host application. The vulnerability exploits an incomplete fix for CVE-2026-22709 - while previous patches sanitized `.then()` and `.catch()` callback chains, they failed to intercept unhandled rejections originating from Promise constructor executors. Publicly available exploit code exists (GitHub advisory GHSA-hw58-p9xv-2mjh). The attack requires minimal resources (150-byte HTTP request) but achieves high impact by crashing entire server processes serving all concurrent users, with demonstrated persistent DoS despite container orchestration restart policies.
Granian worker process aborts when a WSGI application returns invalid HTTP response header names or values due to unhandled panic in the header conversion path. An attacker who can influence WSGI application output, such as by injecting user-controlled data into response headers like Location or Content-Disposition, can trigger worker process denial of service. The vulnerability affects Granian versions 0.2.0 through 2.7.3; patch available in version 2.7.4. Proof of concept demonstrates crashes via headers containing spaces, CRLF injection, or null bytes.
Remote unauthenticated denial of service crashes Vanetza V2X v26.02 receivers via malformed GeoNetworking packets containing invalid ECC points. Uncaught OpenSSL exceptions from elliptic curve point validation (invalid compressed points, points not on curve) in the security layer escape through the Router::indicate() call chain, triggering std::terminate and process termination. No public exploit identified at time of analysis, though EPSS risk assessment unavailable. Attack requires only network access to the V2X receiver endpoint with no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making this a significant operational risk for deployed V2X infrastructure relying on continuous availability for vehicle safety communications.
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.
Denial of service in Vanetza (riebl) versions 26.02 and earlier lets remote unauthenticated attackers crash the V2X message-processing daemon by sending a crafted Secured Message whose signing certificate carries an out-of-range or invalid-CHOICE Psid value. The malformed certificate passes the permissive ASN.1 decode step but trips a semantic constraint check during OER re-encoding inside the signature-verification path, raising an exception that is never caught and forcing std::terminate. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the network-reachable, no-authentication, low-complexity profile (CVSS 7.5) makes it a credible availability risk for any node that verifies untrusted V2X traffic.
Remote denial of service in Vanetza 26.02 and earlier lets unauthenticated attackers crash the C-ITS protocol stack by sending malformed network packets containing corrupted ASN.1/OER structures, such as invalid length fields or malformed certificate encodings. The ASN.1 wrapper (asn1c_wrapper.cpp) raises a std::runtime_error that is never caught at the parsing boundary, so it propagates to std::terminate and kills the process. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided.
Remote unauthenticated denial-of-service in the Nimiq core-rs-albatross client (nimiq-primitives crate prior to 1.5.0) lets any state-sync peer crash a syncing node by sending a ResponseChunk whose first TrieItem.key is the empty ROOT key, triggering a panic in MerkleRadixTrie::put_chunk → put_raw. No public exploit identified at time of analysis, but the issue is trivially triggerable with a single malformed chunk and affects all nodes performing initial sync or recovery against untrusted peers. EPSS data was not provided; CVSS A:H impact and zero attacker prerequisites make this a high-priority availability bug for Nimiq node operators.
Log-volume denial of service in NiceGUI's dynamic static-asset routes allows remote unauthenticated attackers to flood server logs and exhaust disk or log-pipeline capacity. The two affected routes - the per-component resource route (introduced in v1.4.6) and the ESM module route (introduced in v3.0.0) - fail to distinguish directories from files before passing user-controlled paths to Starlette's FileResponse, triggering an unhandled RuntimeError that Uvicorn logs as a full multi-frame traceback (~100 lines per request). Versions up to and including 3.11.1 are affected; the fix is available in 3.12.0. No public exploit or CISA KEV listing has been identified at time of analysis. IMPORTANT: The provided tags (RCE, Path Traversal, Information Disclosure) are directly contradicted by the advisory, which explicitly states there is no remote code execution, no path traversal, and no data exposure - these tags should be treated as erroneous metadata.
Denial of service in multiparty (Node.js multipart/form-data parser) versions ≤4.2.3 crashes Node.js processes when attackers send crafted form uploads with field names matching JavaScript Object prototype properties (__proto__, constructor, toString). CVSS 7.5 (High) with network vector and no authentication required. No public exploit code identified at time of analysis, but exploitation is trivial given the straightforward prototype pollution attack pattern. Services accepting file uploads via multiparty are immediately affected until upgraded to 4.3.0+.
Denial of service in Zebra's JSON-RPC HTTP middleware allows authenticated RPC clients to crash a Zebra node by disconnecting mid-request, exploiting improper error handling that treats incomplete HTTP body reads as unrecoverable failures instead of returning error responses. Affects zebrad versions 2.2.0 through 4.3.0 and zebra-rpc versions 1.0.0-beta.45 through 6.0.1. No public exploit code or active exploitation confirmed; patch available in zebrad 4.3.1 and zebra-rpc 6.0.2.
Remote unauthenticated attackers can crash Node.js processes running vm2 <= 3.10.5 by triggering an unhandled Promise rejection that terminates the host application. The vulnerability exploits an incomplete fix for CVE-2026-22709 - while previous patches sanitized `.then()` and `.catch()` callback chains, they failed to intercept unhandled rejections originating from Promise constructor executors. Publicly available exploit code exists (GitHub advisory GHSA-hw58-p9xv-2mjh). The attack requires minimal resources (150-byte HTTP request) but achieves high impact by crashing entire server processes serving all concurrent users, with demonstrated persistent DoS despite container orchestration restart policies.
Granian worker process aborts when a WSGI application returns invalid HTTP response header names or values due to unhandled panic in the header conversion path. An attacker who can influence WSGI application output, such as by injecting user-controlled data into response headers like Location or Content-Disposition, can trigger worker process denial of service. The vulnerability affects Granian versions 0.2.0 through 2.7.3; patch available in version 2.7.4. Proof of concept demonstrates crashes via headers containing spaces, CRLF injection, or null bytes.
Remote unauthenticated denial of service crashes Vanetza V2X v26.02 receivers via malformed GeoNetworking packets containing invalid ECC points. Uncaught OpenSSL exceptions from elliptic curve point validation (invalid compressed points, points not on curve) in the security layer escape through the Router::indicate() call chain, triggering std::terminate and process termination. No public exploit identified at time of analysis, though EPSS risk assessment unavailable. Attack requires only network access to the V2X receiver endpoint with no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making this a significant operational risk for deployed V2X infrastructure relying on continuous availability for vehicle safety communications.