Go modules package
github.com/crowdsecurity/crowdsec
pkg:golang/github.com/crowdsecurity/crowdsec
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44982 | hig | — | >= 1.5.0, < 1.7.8 | 1.7.8 | May 27, 2026 | ## Summary The CrowdSec AppSec component fails to read the HTTP request body for any request whose `Content-Length` is not positive — most notably HTTP/1.1 requests using `Transfer-Encoding: chunked` and HTTP/2 requests sent without a `content-length` header. Coraza is then eval | |
| CVE-2026-44981 | — | >= 1.7.0, < 1.7.8 | 1.7.8 | May 27, 2026 | The LAPI router uses `gin-contrib/gzip` with `DefaultDecompressHandle` globally (`pkg/apiserver/controllers/controller.go`). This middleware decompresses incoming request bodies without enforcing a maximum decompressed size. The endpoints `/v1/watchers` or `/v1/watchers/login` |
- affected >= 1.5.0, < 1.7.8fixed 1.7.8
## Summary The CrowdSec AppSec component fails to read the HTTP request body for any request whose `Content-Length` is not positive — most notably HTTP/1.1 requests using `Transfer-Encoding: chunked` and HTTP/2 requests sent without a `content-length` header. Coraza is then eval
- CVE-2026-44981May 27, 2026affected >= 1.7.0, < 1.7.8fixed 1.7.8
The LAPI router uses `gin-contrib/gzip` with `DefaultDecompressHandle` globally (`pkg/apiserver/controllers/controller.go`). This middleware decompresses incoming request bodies without enforcing a maximum decompressed size. The endpoints `/v1/watchers` or `/v1/watchers/login`