Monthly
Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality that allows authenticated users to crash the application server or severely degrade performance by uploading a specially crafted ZIP bomb file. The vulnerability affects recipe management and meal planning features accessible to authenticated users and has been patched in version 2.6.5.
Disk exhaustion in PraisonAI prior to 4.5.128 allows remote attackers to consume arbitrary disk space by publishing malicious recipe bundles containing highly compressible data that expand dramatically during extraction. The vulnerability exists in the _safe_extractall() function, which validates only path traversal attacks but lacks checks on individual member sizes, cumulative extracted size, or member count before tar extraction, enabling an unauthenticated attacker to trigger denial of service via LocalRegistry.pull() or HttpRegistry.pull() with minimal user interaction.
Memory exhaustion in JWCrypto before 1.5.7 allows unauthenticated remote attackers to cause denial of service on memory-constrained systems by sending crafted JWE tokens with ZIP compression that decompress to approximately 100MB despite remaining under the 250KB input size limit. The vulnerability exploits incomplete validation in the upstream CVE-2024-28102 patch, which restricted input token size but failed to enforce decompressed output limits.
Mattermost server versions 10.11.x through 11.4.x fail to validate decompressed archive entry sizes during ZIP file extraction, allowing authenticated users with file upload permissions to trigger denial of service by uploading crafted zip bombs that exhaust server memory. The vulnerability affects Mattermost 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0, with CVSS 6.5 (medium) reflecting the requirement for prior authentication and limited scope (availability impact only). No public exploit identified at time of analysis, though the attack vector is network-accessible and requires low complexity once an attacker has valid upload credentials.
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability that selectively bypasses safety checks for tar.bz2 skill archives while other formats enforce proper validation. An attacker can craft a malicious tar.bz2 skill archive that circumvents special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation when a user interacts with the installer. This is a local, user-interaction-dependent vulnerability with no authentication required, rated CVSS 5.5 (medium severity) with denial of service impact.
Unauthenticated remote attackers can exhaust memory in Red Hat Build of Keycloak 26.4 and 26.4.10 by sending highly compressed SAML requests that bypass decompression size limits, triggering denial of service. The vulnerability affects SAML Redirect Binding implementations that fail to enforce resource constraints during DEFLATE decompression, allowing attackers to crash the application with OutOfMemoryError conditions. No patch is currently available.
A remote code execution vulnerability (CVSS 6.9) that allows denial of service. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Node.js undici WebSocket client denial-of-service via decompression bomb in permessage-deflate processing allows remote attackers to crash or hang affected processes through unbounded memory consumption. An attacker controlling a malicious WebSocket server can send specially crafted compressed frames that expand to extremely large sizes in memory without triggering any decompression limits. No patch is currently available for this vulnerability.
Unrestricted zip file extraction in MarkUs prior to version 2.9.4 allows authenticated users to trigger denial of service through resource exhaustion by uploading specially crafted archives with excessive file counts or sizes. Instructors and students can exploit this during assignment configuration uploads or submission handling to consume server resources and impact system availability. No patch is currently available for affected installations.
NATS Server versions prior to 2.11.2 and 2.12.3 fail to properly limit memory allocation during WebSocket compression, allowing unauthenticated attackers to trigger denial of service through compression bomb attacks that exhaust server memory. The vulnerability is exploitable pre-authentication since compression negotiation occurs before credential validation. A patch is available in versions 2.11.2 and 2.12.3.
Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality that allows authenticated users to crash the application server or severely degrade performance by uploading a specially crafted ZIP bomb file. The vulnerability affects recipe management and meal planning features accessible to authenticated users and has been patched in version 2.6.5.
Disk exhaustion in PraisonAI prior to 4.5.128 allows remote attackers to consume arbitrary disk space by publishing malicious recipe bundles containing highly compressible data that expand dramatically during extraction. The vulnerability exists in the _safe_extractall() function, which validates only path traversal attacks but lacks checks on individual member sizes, cumulative extracted size, or member count before tar extraction, enabling an unauthenticated attacker to trigger denial of service via LocalRegistry.pull() or HttpRegistry.pull() with minimal user interaction.
Memory exhaustion in JWCrypto before 1.5.7 allows unauthenticated remote attackers to cause denial of service on memory-constrained systems by sending crafted JWE tokens with ZIP compression that decompress to approximately 100MB despite remaining under the 250KB input size limit. The vulnerability exploits incomplete validation in the upstream CVE-2024-28102 patch, which restricted input token size but failed to enforce decompressed output limits.
Mattermost server versions 10.11.x through 11.4.x fail to validate decompressed archive entry sizes during ZIP file extraction, allowing authenticated users with file upload permissions to trigger denial of service by uploading crafted zip bombs that exhaust server memory. The vulnerability affects Mattermost 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0, with CVSS 6.5 (medium) reflecting the requirement for prior authentication and limited scope (availability impact only). No public exploit identified at time of analysis, though the attack vector is network-accessible and requires low complexity once an attacker has valid upload credentials.
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability that selectively bypasses safety checks for tar.bz2 skill archives while other formats enforce proper validation. An attacker can craft a malicious tar.bz2 skill archive that circumvents special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation when a user interacts with the installer. This is a local, user-interaction-dependent vulnerability with no authentication required, rated CVSS 5.5 (medium severity) with denial of service impact.
Unauthenticated remote attackers can exhaust memory in Red Hat Build of Keycloak 26.4 and 26.4.10 by sending highly compressed SAML requests that bypass decompression size limits, triggering denial of service. The vulnerability affects SAML Redirect Binding implementations that fail to enforce resource constraints during DEFLATE decompression, allowing attackers to crash the application with OutOfMemoryError conditions. No patch is currently available.
A remote code execution vulnerability (CVSS 6.9) that allows denial of service. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Node.js undici WebSocket client denial-of-service via decompression bomb in permessage-deflate processing allows remote attackers to crash or hang affected processes through unbounded memory consumption. An attacker controlling a malicious WebSocket server can send specially crafted compressed frames that expand to extremely large sizes in memory without triggering any decompression limits. No patch is currently available for this vulnerability.
Unrestricted zip file extraction in MarkUs prior to version 2.9.4 allows authenticated users to trigger denial of service through resource exhaustion by uploading specially crafted archives with excessive file counts or sizes. Instructors and students can exploit this during assignment configuration uploads or submission handling to consume server resources and impact system availability. No patch is currently available for affected installations.
NATS Server versions prior to 2.11.2 and 2.12.3 fail to properly limit memory allocation during WebSocket compression, allowing unauthenticated attackers to trigger denial of service through compression bomb attacks that exhaust server memory. The vulnerability is exploitable pre-authentication since compression negotiation occurs before credential validation. A patch is available in versions 2.11.2 and 2.12.3.