VYPR

Coredns

by Coredns

Source repositories

CVEs (15)

  • CVE-2026-35579CriMay 5, 2026
    risk 0.57cvss 9.8epss 0.00

    CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls…

  • CVE-2026-33489HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.00

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic…

  • CVE-2026-33190HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.00

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3…

  • CVE-2026-32936HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.01

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST…

  • CVE-2026-32934HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.00

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full,…

  • CVE-2025-58063HigSep 9, 2025
    risk 0.39cvss 7.1epss 0.00

    CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a…

  • CVE-2024-0874MedApr 25, 2024
    risk 0.28cvss 5.3epss 0.01

    A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.

  • CVE-2026-26017Mar 6, 2026
    risk 0.00cvss epss 0.00

    CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a…

  • CVE-2026-26018Mar 6, 2026
    risk 0.00cvss epss 0.01

    CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a…

  • CVE-2025-68151Jan 8, 2026
    risk 0.00cvss epss 0.00

    CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many…

  • CVE-2025-47950Jun 6, 2025
    risk 0.00cvss epss 0.01

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any…

  • CVE-2023-30464Sep 18, 2024
    risk 0.00cvss epss 0.00

    CoreDNS through 1.10.1 enables attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack.

  • CVE-2023-28452Sep 18, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in CoreDNS through 1.10.1. There is a vulnerability in DNS resolving software, which triggers a resolver to ignore valid responses, thus causing denial of service for normal resolution. In an exploit, the attacker could just forge a response targeting the…

  • CVE-2022-2837Mar 3, 2023
    risk 0.00cvss epss 0.00

    A flaw was found in coreDNS. This flaw allows a malicious user to redirect traffic intended for external top-level domains (TLD) to a pod they control by creating projects and namespaces that match the TLD.

  • CVE-2022-2835Mar 3, 2023
    risk 0.00cvss epss 0.00

    A flaw was found in coreDNS. This flaw allows a malicious user to reroute internal calls to some internal services that were accessed by the FQDN in a format of ..svc.

VYPR — Vulnerability Intelligence