Most recent sightings.

https://vulnerability.circl.lu/sightings/feed Most recent sightings. 2026-05-11T07:28:48.683180+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/1ae2f47b-8e0a-4e0e-b580-0bf5bf89e18a/export 1ae2f47b-8e0a-4e0e-b580-0bf5bf89e18a 2026-05-11T07:28:49.039905+00:00 Automation user http://vulnerability.circl.lu/user/automation {"uuid": "1ae2f47b-8e0a-4e0e-b580-0bf5bf89e18a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39804", "type": "seen", "source": "https://gist.github.com/alon710/560a262a37ded8b644e3892d54c879bb", "content": "# CVE-2026-39804: CVE-2026-39804: Remote Code Execution and DoS via Bandit WebSocket Permessage-Deflate Resource Exhaustion\n\n> **CVSS Score:** 8.2\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39804\n\n## Summary\nCVE-2026-39804 is a critical resource exhaustion vulnerability (CWE-770) affecting the Bandit Elixir HTTP server. By exploiting unbounded DEFLATE decompression in WebSocket frames, an unauthenticated attacker can crash the Erlang VM (BEAM) via a highly compressed decompression bomb.\n\n## TL;DR\nUnauthenticated remote attackers can trigger a Denial of Service (OOM crash) in the Bandit web server by sending a highly compressed WebSocket frame, exhausting BEAM memory if `permessage-deflate` is enabled.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network (Remote)\n- **CVSS v4.0 Score**: 8.2 (High)\n- **EPSS Score**: 0.0004 (11.83%)\n- **Exploit Status**: Proof-of-Concept Available\n- **Impact**: Denial of Service (Node Crash)\n\n## Affected Systems\n\n- Bandit HTTP Server (mtrudel/bandit)\n- **bandit**: >= 0.5.9, < 1.11.0 (Fixed in: `1.11.0`)\n\n## Mitigation\n\n- Upgrade Bandit server to version 1.11.0 or newer.\n- Disable `permessage-deflate` compression globally by setting `compress: false` in the WebSocket adapter configuration.\n\n**Remediation Steps:**\n1. Update the `mix.exs` dependencies to require `{:bandit, \">= 1.11.0\"}`.\n2. Run `mix deps.get` and `mix deps.compile` to fetch and build the patched version.\n3. If patching is impossible, review calls to `WebSockAdapter.upgrade/4` and remove any `compress: true` options.\n4. Deploy the updated application and restart the BEAM node.\n5. Verify the remediation by monitoring application memory metrics when under WebSocket load.\n\n## References\n\n- [GHSA-frh3-6pv6-rc8j Advisory](https://github.com/mtrudel/bandit/security/advisories/GHSA-frh3-6pv6-rc8j)\n- [CNA Advisory Entry](https://cna.erlef.org/cves/CVE-2026-39804.html)\n- [OSV Entry](https://osv.dev/vulnerability/EEF-CVE-2026-39804)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39804) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-07T06:10:29.000000Z"} 2026-05-07T06:10:29+00:00