CVE-2026-9137 | THREATINT

Description

The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.

PUBLISHED Reserved 2026-05-20 | Published 2026-05-20 | Updated 2026-05-20 | Assigner CIRCL

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-400 Uncontrolled Resource Consumption

Product status

Default status

unaffected

2.5.0 (semver)

affected

Credits

Seth Kraft finder

References

github.com/...ommit/02932cccab230b295afcaf5aa05e363d30db0ec9 patch

cve.org (CVE-2026-9137)

nvd.nist.gov (CVE-2026-9137)

Download JSON