Most recent sightings.

Most recent sightings. https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Sun, 31 May 2026 11:56:51 +0000 bb99cbb1-ae21-4518-898e-76e92a5be7ad https://vulnerability.circl.lu/sighting/bb99cbb1-ae21-4518-898e-76e92a5be7ad/export {"uuid": "bb99cbb1-ae21-4518-898e-76e92a5be7ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42786", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116512528267704627", "content": "Some increased actor activities are shown targeting mtrudel bandit (CVE-2026-42786) https://vuldb.com/vuln/360789/cti", "creation_timestamp": "2026-05-03T20:28:12.507614Z"} {"uuid": "bb99cbb1-ae21-4518-898e-76e92a5be7ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42786", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116512528267704627", "content": "Some increased actor activities are shown targeting mtrudel bandit (CVE-2026-42786) https://vuldb.com/vuln/360789/cti", "creation_timestamp": "2026-05-03T20:28:12.507614Z"} https://vulnerability.circl.lu/sighting/bb99cbb1-ae21-4518-898e-76e92a5be7ad/export Sun, 03 May 2026 20:28:12 +0000 e694a220-f86f-452e-9e8e-c687083d5c35 https://vulnerability.circl.lu/sighting/e694a220-f86f-452e-9e8e-c687083d5c35/export {"uuid": "e694a220-f86f-452e-9e8e-c687083d5c35", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42786", "type": "seen", "source": "https://gist.github.com/alon710/7e14a0d3fcae150a08d7fce945893208", "content": "# CVE-2026-42786: CVE-2026-42786: Unbounded WebSocket Fragmented Message Reassembly Denial of Service in Bandit\n\n> **CVSS Score:** 8.7\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42786\n\n## Summary\nAn unauthenticated remote denial of service vulnerability exists in the Bandit HTTP server due to unbounded resource allocation during WebSocket fragment reassembly. Attackers can trigger complete memory exhaustion by streaming continuous WebSocket frames without the finalization bit, causing the Erlang virtual machine to crash.\n\n## TL;DR\nBandit < 1.11.0 fails to limit cumulative size of fragmented WebSocket messages, allowing unauthenticated attackers to cause an Out-of-Memory (OOM) denial of service by sending infinite continuation frames.\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network (Unauthenticated)\n- **CVSS 4.0 Score**: 8.7 (High)\n- **EPSS Percentile**: 17.28%\n- **Primary Impact**: Denial of Service (OOM)\n- **Exploit Status**: None (Theoretical PoC)\n- **CISA KEV**: No\n\n## Affected Systems\n\n- Bandit HTTP Server (0.5.0 up to 1.11.0)\n- Phoenix Web Applications using vulnerable Bandit instances as the web server adapter\n- **bandit**: >= 0.5.0, < 1.11.0 (Fixed in: `1.11.0`)\n\n## Mitigation\n\n- Upgrade bandit package to version 1.11.0 or higher\n- Configure web application firewall (WAF) to inspect and limit abnormal WebSocket message continuation patterns\n- Implement connection rate limiting and maximum connection duration timeouts\n\n**Remediation Steps:**\n1. Update `mix.exs` to require `bandit` version `~> 1.11`\n2. Run `mix deps.get` and `mix deps.compile` to fetch and build the updated library\n3. If the application legitimately handles WebSocket messages larger than 8MB, configure `max_fragmented_message_size` in the Bandit endpoint configuration\n4. Deploy the application and monitor WebSocket connection metrics for unexpected termination errors (Code 1009)\n\n## References\n\n- [NVD - CVE-2026-42786](https://nvd.nist.gov/vuln/detail/CVE-2026-42786)\n- [GitHub Advisory GHSA-pf94-94m9-536p](https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p)\n- [EEF CVE-2026-42786](https://cna.erlef.org/cves/CVE-2026-42786.html)\n- [OSV EEF-CVE-2026-42786](https://osv.dev/vulnerability/EEF-CVE-2026-42786)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42786) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-07T05:40:29.000000Z"} {"uuid": "e694a220-f86f-452e-9e8e-c687083d5c35", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42786", "type": "seen", "source": "https://gist.github.com/alon710/7e14a0d3fcae150a08d7fce945893208", "content": "# CVE-2026-42786: CVE-2026-42786: Unbounded WebSocket Fragmented Message Reassembly Denial of Service in Bandit\n\n> **CVSS Score:** 8.7\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42786\n\n## Summary\nAn unauthenticated remote denial of service vulnerability exists in the Bandit HTTP server due to unbounded resource allocation during WebSocket fragment reassembly. Attackers can trigger complete memory exhaustion by streaming continuous WebSocket frames without the finalization bit, causing the Erlang virtual machine to crash.\n\n## TL;DR\nBandit < 1.11.0 fails to limit cumulative size of fragmented WebSocket messages, allowing unauthenticated attackers to cause an Out-of-Memory (OOM) denial of service by sending infinite continuation frames.\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network (Unauthenticated)\n- **CVSS 4.0 Score**: 8.7 (High)\n- **EPSS Percentile**: 17.28%\n- **Primary Impact**: Denial of Service (OOM)\n- **Exploit Status**: None (Theoretical PoC)\n- **CISA KEV**: No\n\n## Affected Systems\n\n- Bandit HTTP Server (0.5.0 up to 1.11.0)\n- Phoenix Web Applications using vulnerable Bandit instances as the web server adapter\n- **bandit**: >= 0.5.0, < 1.11.0 (Fixed in: `1.11.0`)\n\n## Mitigation\n\n- Upgrade bandit package to version 1.11.0 or higher\n- Configure web application firewall (WAF) to inspect and limit abnormal WebSocket message continuation patterns\n- Implement connection rate limiting and maximum connection duration timeouts\n\n**Remediation Steps:**\n1. Update `mix.exs` to require `bandit` version `~> 1.11`\n2. Run `mix deps.get` and `mix deps.compile` to fetch and build the updated library\n3. If the application legitimately handles WebSocket messages larger than 8MB, configure `max_fragmented_message_size` in the Bandit endpoint configuration\n4. Deploy the application and monitor WebSocket connection metrics for unexpected termination errors (Code 1009)\n\n## References\n\n- [NVD - CVE-2026-42786](https://nvd.nist.gov/vuln/detail/CVE-2026-42786)\n- [GitHub Advisory GHSA-pf94-94m9-536p](https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p)\n- [EEF CVE-2026-42786](https://cna.erlef.org/cves/CVE-2026-42786.html)\n- [OSV EEF-CVE-2026-42786](https://osv.dev/vulnerability/EEF-CVE-2026-42786)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42786) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-07T05:40:29.000000Z"} https://vulnerability.circl.lu/sighting/e694a220-f86f-452e-9e8e-c687083d5c35/export Thu, 07 May 2026 05:40:29 +0000