VYPR
Vendor

Ninenines

Products
5
CVEs
10
Across products
12
Status
Private

Products

5

Recent CVEs

10
  • CVE-2026-43974HigJun 8, 2026
    risk 0.50cvss epss 0.00

    Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response. In gun_http:handle_inform/8, when a 101 Switching Protocols…

  • CVE-2026-43973HigJun 8, 2026
    risk 0.50cvss epss 0.00

    Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering. In gun_http:handle/5, three clauses accumulate incoming TCP data into the connection's buffer field…

  • CVE-2026-8466HigMay 13, 2026
    risk 0.46cvss epss 0.00

    Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary…

  • CVE-2026-43970HigMay 13, 2026
    risk 0.46cvss epss 0.01

    Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output…

  • CVE-2026-7790HigMay 11, 2026
    risk 0.42cvss 7.5epss 0.00

    Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication…

  • CVE-2026-43966MedJun 8, 2026
    risk 0.34cvss epss 0.00

    Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and…

  • CVE-2026-43972MedJun 8, 2026
    risk 0.34cvss epss 0.00

    Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority. In gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim…

  • CVE-2024-31209MedApr 4, 2024
    risk 0.27cvss 5.3epss 0.00

    oidcc is the OpenID Connect client library for Erlang. Denial of Service (DoS) by Atom exhaustion is possible by calling `oidcc_provider_configuration_worker:get_provider_configuration/1` or `oidcc_provider_configuration_worker:get_jwks/1`. This issue has been patched in…

  • CVE-2026-43968MedMay 11, 2026
    risk 0.19cvss 4.0epss 0.00

    Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal…

  • CVE-2026-43969LowMay 11, 2026
    risk 0.14cvss 3.2epss 0.00

    Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list…