Forem: CVE Reports

CVE-2026-39804: CVE-2026-39804: Remote Code Execution and DoS via Bandit WebSocket Permessage-Deflate Resource Exhaustion

CVE Reports — Thu, 07 May 2026 06:10:30 +0000

CVE-2026-39804: Remote Code Execution and DoS via Bandit WebSocket Permessage-Deflate Resource Exhaustion

Vulnerability ID: CVE-2026-39804
CVSS Score: 8.2
Published: 2026-05-07

CVE-2026-39804 is a critical resource exhaustion vulnerability (CWE-770) affecting the Bandit Elixir HTTP server. By exploiting unbounded DEFLATE decompression in WebSocket frames, an unauthenticated attacker can crash the Erlang VM (BEAM) via a highly compressed decompression bomb.

TL;DR

Unauthenticated remote attackers can trigger a Denial of Service (OOM crash) in the Bandit web server by sending a highly compressed WebSocket frame, exhausting BEAM memory if permessage-deflate is enabled.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-770
Attack Vector: Network (Remote)
CVSS v4.0 Score: 8.2 (High)
EPSS Score: 0.0004 (11.83%)
Exploit Status: Proof-of-Concept Available
Impact: Denial of Service (Node Crash)

Affected Systems

Bandit HTTP Server (mtrudel/bandit)
bandit: >= 0.5.9, < 1.11.0 (Fixed in: 1.11.0)

Code Analysis

Commit: 8156921

Fix resource exhaustion in permessage-deflate via chunked decompression and ratio limits

Exploit Details

Test Suite PoC: The protocol_test.exs suite in the fix commit demonstrates the decompression bomb construction.

Mitigation Strategies

Upgrade Bandit server to version 1.11.0 or newer.
Disable permessage-deflate compression globally by setting compress: false in the WebSocket adapter configuration.

Remediation Steps:

Update the mix.exs dependencies to require {:bandit, ">= 1.11.0"}.
Run mix deps.get and mix deps.compile to fetch and build the patched version.
If patching is impossible, review calls to WebSockAdapter.upgrade/4 and remove any compress: true options.
Deploy the updated application and restart the BEAM node.
Verify the remediation by monitoring application memory metrics when under WebSocket load.

References

Read the full report for CVE-2026-39804 on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-42786: CVE-2026-42786: Unbounded WebSocket Fragmented Message Reassembly Denial of Service in Bandit

CVE Reports — Thu, 07 May 2026 05:40:29 +0000

CVE-2026-42786: Unbounded WebSocket Fragmented Message Reassembly Denial of Service in Bandit

Vulnerability ID: CVE-2026-42786
CVSS Score: 8.7
Published: 2026-05-07

An unauthenticated remote denial of service vulnerability exists in the Bandit HTTP server due to unbounded resource allocation during WebSocket fragment reassembly. Attackers can trigger complete memory exhaustion by streaming continuous WebSocket frames without the finalization bit, causing the Erlang virtual machine to crash.

TL;DR

Bandit < 1.11.0 fails to limit cumulative size of fragmented WebSocket messages, allowing unauthenticated attackers to cause an Out-of-Memory (OOM) denial of service by sending infinite continuation frames.

Technical Details

CWE ID: CWE-770
Attack Vector: Network (Unauthenticated)
CVSS 4.0 Score: 8.7 (High)
EPSS Percentile: 17.28%
Primary Impact: Denial of Service (OOM)
Exploit Status: None (Theoretical PoC)
CISA KEV: No

Affected Systems

Bandit HTTP Server (0.5.0 up to 1.11.0)
Phoenix Web Applications using vulnerable Bandit instances as the web server adapter
bandit: >= 0.5.0, < 1.11.0 (Fixed in: 1.11.0)

Code Analysis

Commit: 21612c7

Fix unbounded websocket fragmented message reassembly

Mitigation Strategies

Upgrade bandit package to version 1.11.0 or higher
Configure web application firewall (WAF) to inspect and limit abnormal WebSocket message continuation patterns
Implement connection rate limiting and maximum connection duration timeouts

Remediation Steps:

Update mix.exs to require bandit version ~> 1.11
Run mix deps.get and mix deps.compile to fetch and build the updated library
If the application legitimately handles WebSocket messages larger than 8MB, configure max_fragmented_message_size in the Bandit endpoint configuration
Deploy the application and monitor WebSocket connection metrics for unexpected termination errors (Code 1009)

References

Read the full report for CVE-2026-42786 on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-20188: CVE-2026-20188: Uncontrolled Resource Consumption in Cisco CNC and NSO

CVE Reports — Thu, 07 May 2026 05:20:29 +0000

CVE-2026-20188: Uncontrolled Resource Consumption in Cisco CNC and NSO

Vulnerability ID: CVE-2026-20188
CVSS Score: 7.5
Published: 2026-05-06

Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) contain a high-severity denial-of-service vulnerability due to inadequate connection rate limiting. Exploitation results in resource exhaustion requiring a manual reboot for recovery.

TL;DR

CVE-2026-20188 is an unauthenticated, remote denial-of-service vulnerability (CVSS 7.5) in Cisco CNC and NSO. An attacker can exhaust system connections, causing application unresponsiveness that persists until a manual system reboot.

Technical Details

CWE ID: CWE-400
Attack Vector: Network
CVSS v3.1: 7.5
Impact: Persistent Denial of Service
Exploit Status: None (Unexploited)
KEV Status: Not Listed

Affected Systems

Cisco Crosswork Network Controller (CNC)
Cisco Network Services Orchestrator (NSO)
Cisco Crosswork Network Controller: <= 7.1 (Fixed in: 7.2)
Cisco Network Services Orchestrator: <= 6.3 (Fixed in: 6.5)
Cisco Network Services Orchestrator: 6.4 (Fixed in: 6.4.1.3)

Mitigation Strategies

Apply vendor-provided patch upgrades
Implement network-level connection rate limiting at upstream firewalls
Restrict network access to management interfaces using explicit allowlists
Monitor ingress ports for unusual TCP connection spikes

Remediation Steps:

Identify the current software version of Cisco CNC or NSO running in the environment.
Download the applicable fixed release (CNC 7.2+, NSO 6.4.1.3, or NSO 6.5+).
Schedule a maintenance window and provision backup snapshots.
Apply the software update according to Cisco's official upgrade procedures.
Verify system stability and test management interface connectivity post-upgrade.

References

Read the full report for CVE-2026-20188 on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-39805: CVE-2026-39805: CL.CL HTTP Request Smuggling in Bandit Web Server

CVE Reports — Thu, 07 May 2026 05:10:29 +0000

CVE-2026-39805: CL.CL HTTP Request Smuggling in Bandit Web Server

Vulnerability ID: CVE-2026-39805
CVSS Score: 6.3
Published: 2026-05-07

The Bandit HTTP server for Elixir versions prior to 1.11.0 fails to correctly process requests containing multiple Content-Length headers. This inconsistent interpretation creates a CL.CL HTTP request smuggling vulnerability when Bandit is deployed behind a reverse proxy that parses the headers differently. Attackers exploit this desynchronization to smuggle secondary HTTP requests past edge security controls.

TL;DR

Bandit < 1.11.0 accepts duplicate Content-Length headers and processes only the first one, violating RFC 9112. When deployed behind certain reverse proxies, this allows attackers to smuggle hidden HTTP requests to bypass frontend access controls.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-444
Attack Vector: Network
CVSS v4.0: 6.3
EPSS Score: 0.00017 (4.03%)
Impact: Security Control Bypass
Exploit Status: Proof of Concept
KEV Status: Not Listed

Affected Systems

Bandit (Elixir HTTP Server) < 1.11.0
bandit: < 1.11.0 (Fixed in: 1.11.0)

Code Analysis

Commit: f2ca636

Fix HTTP request smuggling vulnerability by rejecting requests with multiple Content-Length headers

Exploit Details

GitHub Fix Commit: Proof of Concept test case embedded within the official repository patch suite.

Mitigation Strategies

Upgrade Bandit web server to version 1.11.0
Configure frontend proxies to reject requests with multiple Content-Length headers
Deploy WAF rules to detect and block malformed HTTP requests

Remediation Steps:

Modify mix.exs to require bandit version >= 1.11.0
Run mix deps.get to update the application dependencies
Recompile the application and deploy to the target environment
Validate frontend proxy configurations to ensure strict RFC 9112 compliance

References

Read the full report for CVE-2026-39805 on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-39807: CVE-2026-39807: Transport-State Spoofing via Untrusted URI Scheme in Bandit HTTP Server

CVE Reports — Thu, 07 May 2026 04:40:29 +0000

CVE-2026-39807: Transport-State Spoofing via Untrusted URI Scheme in Bandit HTTP Server

Vulnerability ID: CVE-2026-39807
CVSS Score: 6.3
Published: 2026-05-07

The Bandit HTTP server prior to version 1.11.0 contains a transport-state spoofing vulnerability. The application incorrectly prioritizes the client-supplied URI scheme over the verified transport-layer encryption status. This allows unauthenticated attackers to spoof the connection state as secure (HTTPS) over a plaintext connection, bypassing security middleware and exposing secure cookies.

TL;DR

A logic flaw in the Bandit HTTP server allows attackers to forge the connection scheme. Sending an absolute-form HTTP request over a plaintext connection causes the server to treat the request as HTTPS, bypassing SSL redirects and leaking secure cookies.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-807
Attack Vector: Network
CVSS Score: 6.3
EPSS Score: 0.00018
Impact: Security feature bypass and confidentiality loss
Exploit Status: Proof of Concept
KEV Status: Not Listed

Affected Systems

Bandit HTTP Server for Elixir
Elixir applications utilizing Plug.Conn via Bandit
Deployments exposing plaintext (non-TLS) HTTP ports
bandit: >= 1.0.0, < 1.11.0 (Fixed in: 1.11.0)

Code Analysis

Commit: 45feea2

Fix transport-state spoofing vulnerability by evaluating only adapter security state

Exploit Details

Commit Test Suite: Unit tests implementing the spoofing payload to verify the patch effectiveness.

Mitigation Strategies

Upgrade the bandit package to a patched version
Disable plaintext network listeners and enforce TLS termination at the application
Deploy a reverse proxy to sanitize absolute-form HTTP request targets

Remediation Steps:

Update the project's mix.exs file to require bandit version 1.11.0 or later.
Execute mix deps.get and mix compile to pull and build the updated dependency.
Audit production deployments to verify whether plaintext ports are unintentionally exposed.
Test downstream application behavior to ensure secure cookies and Plug.SSL correctly evaluate the patched state.

References

Read the full report for CVE-2026-39807 on our website for more details including interactive diagrams and full exploit analysis.

CVE-2026-42788: CVE-2026-42788: HTTP/2 Frame Size Limit Bypass and Memory Exhaustion in Bandit

CVE Reports — Thu, 07 May 2026 04:10:29 +0000

CVE-2026-42788: HTTP/2 Frame Size Limit Bypass and Memory Exhaustion in Bandit

Vulnerability ID: CVE-2026-42788
CVSS Score: 6.9
Published: 2026-05-07

CVE-2026-42788 is a critical resource management vulnerability in the Bandit HTTP server for Elixir. The flaw exists within the HTTP/2 frame deserialization logic, where binary pattern matching defers size validation until after memory allocation. This allows an unauthenticated remote attacker to cause memory exhaustion and Denial of Service by transmitting oversized HTTP/2 frames.

TL;DR

Unauthenticated remote attackers can trigger Denial of Service in the Bandit Elixir HTTP server via memory exhaustion by sending oversized HTTP/2 frames, bypassing size limits due to deferred buffer validation in pattern matching.

Technical Details

CWE ID: CWE-770
Attack Vector: Network
CVSS v4.0: 6.9
EPSS Score: 0.00017
Impact: Denial of Service (DoS)
Exploit Status: None
CISA KEV: Not Listed

Affected Systems

bandit (Elixir HTTP server)
bandit: 0.3.6 <= version < 1.11.0 (Fixed in: 1.11.0)

Code Analysis

Commit: 1e8e559

Fix for HTTP/2 frame size limit bypassed by late buffer check

@@ -0,0 +1,7 @@
+def deserialize(
+      <<length::24, _type::8, _flags::8, _reserved::1, _stream_id::31, rest::binary>>,
+      max_frame_size
+    )
+    when length > max_frame_size do
+  {{:error, Bandit.HTTP2.Errors.frame_size_error(), "Payload size too large (RFC9113§4.2)"},
+   rest}
+end

Mitigation Strategies

Upgrade the bandit dependency to version 1.11.0 or later.
Implement rate limiting and connection concurrency limits at the reverse proxy or WAF layer.
Enforce process-level memory limits using containerization policies (e.g., cgroups, Kubernetes resource quotas).

Remediation Steps:

Modify the mix.exs file in the Elixir project to require bandit version >= 1.11.0.
Execute mix deps.get and mix deps.compile to fetch and compile the updated dependency.
Verify the update by inspecting the mix.lock file ensuring the bandit version reflects 1.11.0.
Deploy the updated application build to staging, test HTTP/2 functionality, and proceed to production deployment.

References

Read the full report for CVE-2026-42788 on our website for more details including interactive diagrams and full exploit analysis.

GHSA-MMPX-JH39-WRV6: GHSA-MMPX-JH39-WRV6: Stored Cross-Site Scripting in FileBrowser Quantum via SVG Rendering

CVE Reports — Thu, 07 May 2026 03:40:29 +0000

GHSA-MMPX-JH39-WRV6: Stored Cross-Site Scripting in FileBrowser Quantum via SVG Rendering

Vulnerability ID: GHSA-MMPX-JH39-WRV6
CVSS Score: 5.4
Published: 2026-05-07

FileBrowser Quantum versions prior to v1.3.1-stable and v1.3.9-beta are vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability manifests when the application serves user-uploaded Scalable Vector Graphics (SVG) files with the inline parameter. Due to the absence of a restrictive Content-Security-Policy (CSP) header, modern browsers execute embedded JavaScript within the application's origin context.

TL;DR

FileBrowser Quantum allows Stored XSS via malicious SVG files served inline due to a missing Content-Security-Policy header. Attackers can execute arbitrary JavaScript in a victim's session.

⚠️ Exploit Status: POC

Technical Details

Vulnerability Type: Stored Cross-Site Scripting (XSS)
CWE ID: CWE-79, CWE-693
Attack Vector: Network
Authentication Status: Required for upload, unauthenticated for victim execution
Affected Component: backend/http/download.go
Exploit Availability: Proof of Concept available

Affected Systems

FileBrowser Quantum (github.com/gtsteffaniak/filebrowser)
FileBrowser Quantum: < v1.3.1-stable (Fixed in: v1.3.1-stable)
FileBrowser Quantum: < v1.3.9-beta (Fixed in: v1.3.9-beta)

Code Analysis

Commit: 6bfc397

Added Content-Security-Policy header to mitigate inline SVG XSS execution.

func setContentDisposition(w http.ResponseWriter, r *http.Request, fileName string) {
    dispositionType := "attachment"
    if r.URL.Query().Get("inline") == "true" {
        dispositionType = "inline"
+       // Inline SVG (and similar) can execute embedded scripts when opened as a top-level document; 
+       // match upstream filebrowser mitigation.
+       w.Header().Set("Content-Security-Policy", "script-src 'none'")
    }
    // ...
}

Mitigation Strategies

Update FileBrowser Quantum to version v1.3.1-stable or v1.3.9-beta.
Configure reverse proxies to enforce a strict CSP on all file rendering endpoints.
Block the ?inline=true parameter via Web Application Firewall (WAF) if inline rendering is not required.

Remediation Steps:

Identify the current version of FileBrowser Quantum deployed in the environment.
Download the patched binary for v1.3.1-stable or v1.3.9-beta from the official repository releases.
Stop the FileBrowser service.
Replace the existing executable with the downloaded patched binary.
Restart the service and verify that requests to file endpoints with ?inline=true return the Content-Security-Policy: script-src 'none' header.

References

Read the full report for GHSA-MMPX-JH39-WRV6 on our website for more details including interactive diagrams and full exploit analysis.

GHSA-FPF5-4JW8-67X8: GHSA-FPF5-4JW8-67X8: Unbounded Memory Allocation in rust-zserio

CVE Reports — Thu, 07 May 2026 02:10:29 +0000

GHSA-FPF5-4JW8-67X8: Unbounded Memory Allocation in rust-zserio

Vulnerability ID: GHSA-FPF5-4JW8-67X8
CVSS Score: 7.5
Published: 2026-05-07

A critical vulnerability exists in the rust-zserio crate regarding how auto-generated deserialization routines handle variable-length structures. By supplying a maliciously crafted Zserio bitstream with an artificially inflated size header, an attacker can force the application to request massive memory allocations, resulting in an Out-of-Memory (OOM) panic and process termination.

TL;DR

Unbounded memory allocation in rust-zserio allows remote attackers to trigger an Out-of-Memory crash by providing malformed bitstreams with massive array lengths.

⚠️ Exploit Status: POC

Technical Details

CWE: CWE-770
Attack Vector: Network (Malicious Payload)
Impact: Denial of Service (DoS)
Exploit Status: Proof of Concept (PoC) Available
Authentication Required: None
Remediation: Code Generator Update

Affected Systems

Software leveraging rust-zserio versions prior to May 1, 2026
Systems parsing untrusted Zserio payloads using generated Rust code
rust-zserio: < 57f5fb4a2a8611d58dbcc1a9221349206dd99c3c (Fixed in: 57f5fb4a2a8611d58dbcc1a9221349206dd99c3c)

Code Analysis

Commit: 57f5fb4

Implemented chunked array allocation and incremental growth logic to prevent OOM.

Mitigation Strategies

Update the rust-zserio crate to a version containing the fix commit.
Regenerate all previously generated Rust code for Zserio decoding.
Implement network-layer access controls to limit exposure of endpoints parsing Zserio structures.

Remediation Steps:

Bump the rust-zserio dependency in Cargo.toml to the patched version.
Execute the build process to trigger the internal generator.
Verify that the newly generated code uses push-based loops instead of vec! macro initializations.
Optionally configure the array allocation chunk size using zserio::set_array_alloc_chunk() to fine-tune memory profiles.

References

Read the full report for GHSA-FPF5-4JW8-67X8 on our website for more details including interactive diagrams and full exploit analysis.

GHSA-FC67-C4HG-Q653: CVE-2026-7461: OS Command Injection in Amazon ECS Agent for Windows via FSx Volume Credentials

CVE Reports — Thu, 07 May 2026 01:40:29 +0000

CVE-2026-7461: OS Command Injection in Amazon ECS Agent for Windows via FSx Volume Credentials

Vulnerability ID: GHSA-FC67-C4HG-Q653
CVSS Score: 7.2
Published: 2026-05-07

A high-severity OS command injection vulnerability exists in the Amazon ECS Agent for Windows (versions 1.47.0 to 1.102.0) that permits an authenticated attacker with task definition creation privileges to execute arbitrary commands as the SYSTEM user via crafted FSx Windows File Server volume credentials.

TL;DR

The Amazon ECS Agent for Windows improperly neutralizes user input when mounting FSx Windows File Server volumes. Attackers with task definition privileges can inject shell metacharacters into the username field, leading to OS command execution as SYSTEM. Administrators must upgrade to version 1.103.0.

⚠️ Exploit Status: POC

Technical Details

Vulnerability Type: OS Command Injection
CWE ID: CWE-78
CVSS v3.1 Base Score: 7.2 (High)
Attack Vector: Network
Privileges Required: High (Task Definition Registration)
Impact: SYSTEM-level Arbitrary Code Execution
Exploit Maturity: Proof of Concept
Fixed Version: 1.103.0

Affected Systems

Amazon ECS Agent (Windows)
Amazon FSx for Windows File Server Integration
Amazon ECS Agent (Windows): >= 1.47.0, < 1.103.0 (Fixed in: 1.103.0)

Mitigation Strategies

Upgrade the Amazon ECS Agent to version 1.103.0 or later on all Windows instances.
Audit and enforce least privilege IAM policies for 'ecs:RegisterTaskDefinition' and 'ecs:RunTask' actions.
Implement CloudTrail monitoring to detect shell metacharacters in volume configuration credential fields.

Remediation Steps:

Open an administrative PowerShell session on the target Windows container instance.
Stop the ECS service using the command: Stop-Service -Name "ecs".
Download the latest agent zip file using: Invoke-WebRequest -Uri https://s3.us-east-1.amazonaws.com/amazon-ecs-agent-us-east-1/amazon-ecs-agent-latest.zip -OutFile agent.zip.
Extract the archive using: Expand-Archive -Path agent.zip -DestinationPath .
Verify the version using: ./amazon-ecs-agent.exe -version.
Restart the ECS service using: Start-Service -Name "ecs".

References

Read the full report for GHSA-FC67-C4HG-Q653 on our website for more details including interactive diagrams and full exploit analysis.

GHSA-9G2Q-W3W2-VF7Q: GHSA-9G2Q-W3W2-VF7Q: Improper Authorization and IDOR in Kimai Timesheet Management

CVE Reports — Wed, 06 May 2026 19:40:29 +0000

GHSA-9G2Q-W3W2-VF7Q: Improper Authorization and IDOR in Kimai Timesheet Management

Vulnerability ID: GHSA-9G2Q-W3W2-VF7Q
CVSS Score: N/A
Published: 2026-05-06

Kimai versions prior to 2.56.0 contain an Improper Authorization vulnerability that functions as an Insecure Direct Object Reference (IDOR). The vulnerability exists in the TimesheetVoter component, which fails to verify team associations when processing authorization requests. This allows authenticated users with the ROLE_TEAMLEAD privilege to read, modify, or delete timesheets belonging to users in completely unrelated teams.

TL;DR

A missing team-scope check in the TimesheetVoter allows users with the ROLE_TEAMLEAD permission to manipulate timesheets outside their managed teams via API requests.

⚠️ Exploit Status: POC

Technical Details

Advisory ID: GHSA-9G2Q-W3W2-VF7Q
CVE ID: None assigned
Vulnerability Type: Improper Authorization (IDOR)
Affected Component: TimesheetVoter
Attack Vector: Network
Privileges Required: ROLE_TEAMLEAD
CVSS v4.0: AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Affected Systems

Kimai (Packagist)
kimai/kimai: < 2.56.0 (Fixed in: 2.56.0)

Mitigation Strategies

Upgrade Kimai to version 2.56.0
Audit users with ROLE_TEAMLEAD
Revoke global edit_other_timesheet and delete_other_timesheet permissions from ROLE_TEAMLEAD

Remediation Steps:

Identify current Kimai version in use.
Download and deploy Kimai 2.56.0 via Composer.
Review assigned roles in the Kimai administrative interface.
Monitor API logs for anomalous /api/timesheets/ requests.

References

Read the full report for GHSA-9G2Q-W3W2-VF7Q on our website for more details including interactive diagrams and full exploit analysis.

GHSA-VRQV-52X7-RM4V: GHSA-VRQV-52X7-RM4V: Information Exposure via Unrestricted Twig config() Function in Kimai

CVE Reports — Wed, 06 May 2026 19:10:29 +0000

GHSA-VRQV-52X7-RM4V: Information Exposure via Unrestricted Twig config() Function in Kimai

Vulnerability ID: GHSA-VRQV-52X7-RM4V
CVSS Score: Not Provided
Published: 2026-05-06

Kimai versions up to 2.55.0 suffer from an information exposure vulnerability where the custom Twig config() function lacks sufficient sandbox restrictions. This flaw allows users with template upload privileges to extract sensitive server-wide configuration values, such as LDAP credentials and SAML private keys, by rendering them into exported invoices or documents.

TL;DR

The Twig config() function in Kimai failed to restrict access to sensitive configuration keys within sandboxed templates. Highly privileged users could exploit this to leak server secrets (LDAP/SAML) into rendered PDFs or HTML exports. The issue is resolved in version 2.56.0.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-200
Attack Vector: Application UI (Template Upload)
Impact: Confidentiality (Secret Leakage)
Privileges Required: High (ROLE_SUPER_ADMIN or upload_invoice_template)
Exploit Status: Proof of Concept Known
KEV Status: Not Listed

Affected Systems

Kimai (Self-Hosted)
Kimai: <= 2.55.0 (Fixed in: 2.56.0)

Mitigation Strategies

Upgrade Kimai application to a patched release.
Restrict the upload_invoice_template permission strictly to trusted administrators.
Audit custom invoice templates for suspicious Twig function calls.

Remediation Steps:

Review the current installed version of Kimai.
Schedule a maintenance window and back up the database and files.
Update Kimai to version 2.56.0 or higher following the official documentation.
Review user permissions and ensure only the System-Admin role has template management capabilities.
Inspect existing custom templates under 'System -> Invoices -> Templates' for unauthorized config() usage.

References

Read the full report for GHSA-VRQV-52X7-RM4V on our website for more details including interactive diagrams and full exploit analysis.

CVE-2024-27354: CVE-2024-27354: Computational Denial of Service via Unbounded Primality Testing in phpseclib

CVE Reports — Wed, 06 May 2026 18:10:29 +0000

CVE-2024-27354: Computational Denial of Service via Unbounded Primality Testing in phpseclib

Vulnerability ID: CVE-2024-27354
CVSS Score: 7.5
Published: 2026-05-06

A computational Denial of Service (DoS) vulnerability in phpseclib allows unauthenticated attackers to exhaust CPU resources by supplying malformed X.509 certificates. The vulnerability arises from missing bit-length upper bounds in the Miller-Rabin primality test implementation when evaluating explicit elliptic curve field parameters.

TL;DR

phpseclib before versions 1.0.23, 2.0.47, and 3.0.36 suffers from a computational DoS flaw where parsing maliciously crafted X.509 certificates with massive explicit primes triggers an unbounded Miller-Rabin primality test, leading to CPU exhaustion.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-400
Attack Vector: Network
CVSS v3.1 Score: 7.5 (High)
EPSS Score: 0.00204 (42.24%)
Impact: Denial of Service (CPU Exhaustion)
Exploit Status: Proof of Concept
CISA KEV: No

Affected Systems

phpseclib 1.x series
phpseclib 2.x series
phpseclib 3.x series
phpseclib: 1.x < 1.0.23 (Fixed in: 1.0.23)
phpseclib: 2.x < 2.0.47 (Fixed in: 2.0.47)
phpseclib: 3.x < 3.0.36 (Fixed in: 3.0.36)

Code Analysis

Commit: 0358eb1

Fix Commit (3.0 branch) introducing the 8196-bit length check

Commit: ad5dbdf

Fix Commit (2.0 branch) utilizing user_error for the guardrail

Commit: c55b751

Follow-up fix for the getLength calculation logic

Exploit Details

Research Paper: X.509DoS: Exploiting and Detecting Denial-of-Service Vulnerabilities in X.509 Certificate Parsing

Mitigation Strategies

Upgrade phpseclib to the latest patched version on the active release branch.
Implement application-level limits on the size of uploaded X.509 certificate files.
Configure standard PHP execution timeouts (max_execution_time) to bound resource consumption on worker threads.
Register a custom PHP error handler to convert E_USER_NOTICE into fatal exceptions if operating on the 1.x or 2.x branches.

Remediation Steps:

Identify the current version of phpseclib utilizing Composer (composer show phpseclib/phpseclib).
Update the version constraint in composer.json to ensure a minimum version of 1.0.23, 2.0.47, or 3.0.36.
Execute composer update phpseclib/phpseclib to retrieve the patched library.
If utilizing the 1.x or 2.x branches, review application bootstrap code to ensure set_error_handler upgrades E_USER_NOTICE to a thrown exception.

References

Read the full report for CVE-2024-27354 on our website for more details including interactive diagrams and full exploit analysis.