VYPR
Vendor

Coredns

Products
3
CVEs
18
Across products
18
Status
Private

Products

3

Recent CVEs

18
  • CVE-2026-35579CriMay 5, 2026
    risk 0.57cvss 9.8epss 0.01

    CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls…

  • CVE-2026-33489HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.00

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic…

  • CVE-2026-33190HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.00

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3…

  • CVE-2026-32936HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.01

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST…

  • CVE-2026-32934HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.00

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full,…

  • CVE-2025-58063HigSep 9, 2025
    risk 0.39cvss 7.1epss 0.00

    CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a…

  • CVE-2025-29914MedMar 20, 2025
    risk 0.28cvss 5.4epss 0.00

    OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Prior to 3.3.3, if a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: ,…

  • CVE-2024-0874MedApr 25, 2024
    risk 0.28cvss 5.3epss 0.01

    A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.

  • CVE-2003-0380Jul 2, 2003
    risk 0.03cvss epss 0.06

    Buffer overflow in atftp daemon (atftpd) 0.6.1 and earlier, and possibly later versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename.

  • CVE-2026-26017Mar 6, 2026
    risk 0.00cvss epss 0.00

    CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a…

  • CVE-2026-26018Mar 6, 2026
    risk 0.00cvss epss 0.01

    CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a…

  • CVE-2025-68151Jan 8, 2026
    risk 0.00cvss epss 0.00

    CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many…

  • CVE-2025-47950Jun 6, 2025
    risk 0.00cvss epss 0.01

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any…

  • CVE-2023-30464Sep 18, 2024
    risk 0.00cvss epss 0.00

    CoreDNS through 1.10.1 enables attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack.

  • CVE-2023-28452Sep 18, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in CoreDNS through 1.10.1. There is a vulnerability in DNS resolving software, which triggers a resolver to ignore valid responses, thus causing denial of service for normal resolution. In an exploit, the attacker could just forge a response targeting the…

  • CVE-2023-40586Aug 25, 2023
    risk 0.00cvss epss 0.01

    OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Due to the misuse of `log.Fatalf`, the application using coraza crashed after receiving crafted requests from attackers. The application will immediately crash after receiving a malicious…

  • CVE-2022-2837Mar 3, 2023
    risk 0.00cvss epss 0.00

    A flaw was found in coreDNS. This flaw allows a malicious user to redirect traffic intended for external top-level domains (TLD) to a pod they control by creating projects and namespaces that match the TLD.

  • CVE-2022-2835Mar 3, 2023
    risk 0.00cvss epss 0.00

    A flaw was found in coreDNS. This flaw allows a malicious user to reroute internal calls to some internal services that were accessed by the FQDN in a format of ..svc.