CVEs classified under CWE-409, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-53430: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message…
CVE-2026-44697 — CVSS 8.6 (high): Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service…
CVE-2026-49755: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to…
CVE-2026-48594: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via…
CVE-2026-43970: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of…
CVE-2026-24264 — CVSS 7.5 (high): NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause improper handling of highly compressed data…
CVE-2026-48044 — CVSS 7.5 (high): Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and…
CVE-2026-54314 — CVSS 7.5 (high): n8n is an open source workflow automation platform. Prior to 2.24.0, the Compression node's Decompress operation expanded…
CVE-2026-48510 — CVSS 7.5 (high): MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or…
CVE-2026-54278 — CVSS 7.5 (high): AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a…
CVE-2026-10725 — CVSS 7.5 (high): Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size…
CVE-2026-44432 — CVSS 7.5 (high): urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the…
CVE-2026-40036 — CVSS 7.5 (high): Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause…
CVE-2026-1526 — CVSS 7.5 (high): The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate…
CVE-2026-22870 — CVSS 7.5 (high): GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate…
CVE-2026-22776 — CVSS 7.5 (high): cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS)…
CVE-2026-21441 — CVSS 7.5 (high): urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by…
CVE-2025-69223 — CVSS 7.5 (high): AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to…
CVE-2025-66909 — CVSS 7.5 (high): Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an image decompression bomb denial of service vulnerability. The…
CVE-2025-66471 — CVSS 7.5 (high): urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles…
CVE-2025-62708 — CVSS 7.5 (high): pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF…
CVE-2025-58057 — CVSS 7.5 (high): Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers…
CVE-2024-7765 — CVSS 7.5 (high): In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of…
CVE-2024-12886 — CVSS 7.5 (high): An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API…
CVE-2025-30153 — CVSS 7.5 (high): kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if…
CVE-2024-3572 — CVSS 7.5 (high): The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted…
CVE-2024-28101 — CVSS 7.5 (high): The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2…
CVE-2025-46730 — CVSS 6.8 (medium): MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralized internal or cloud-based servers that…
CVE-2026-55078 — CVSS 6.5 (medium): Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions…
CVE-2026-54233 — CVSS 6.5 (medium): vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, vLLM's /v1/audio/transcriptions endpoint…
CVE-2026-27460 — CVSS 6.5 (medium): Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of…
CVE-2026-40148 — CVSS 6.5 (medium): PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive…
CVE-2026-25962 — CVSS 6.5 (medium): MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs currently extracts zip…
CVE-2025-63914 — CVSS 6.5 (medium): An issue was discovered in Cinnamon kotaemon 0.11.0. The _may_extract_zip function in the \libs\ktem\ktem\index\file\ui.py file does not…
CVE-2024-55909 — CVSS 6.5 (medium): IBM Concert Software 1.0.0 through 1.0.5 could allow an authenticated user to cause a denial of service due to the expansion of archive…
CVE-2025-32949 — CVSS 6.5 (medium): This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip…
CVE-2024-12387 — CVSS 6.5 (medium): A vulnerability in the binary-husky/gpt_academic repository, as of commit git 3890467, allows an attacker to crash the server by uploading…
CVE-2024-54682 — CVSS 6.5 (medium): Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file…
CVE-2023-0821 — CVSS 6.5 (medium): HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause…
CVE-2026-27571 — CVSS 5.9 (medium): NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages…
CVE-2026-44018 — CVSS 5.5 (medium): Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.45.0…
CVE-2026-32044 — CVSS 5.5 (medium): OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks…
CVE-2022-37439 — CVSS 5.5 (medium): In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file…
CVE-2026-8814 — CVSS 5.3 (medium): Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to…
CVE-2026-39373 — CVSS 5.3 (medium): JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust…
CVE-2026-2575 — CVSS 5.3 (medium): A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a…
CVE-2026-32630 — CVSS 5.3 (medium): file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth…
CVE-2026-23943 — CVSS 5.3 (medium): Improper Handling of Highly Compressed Data (Compression Bomb) vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of…