CVE-2026-3816
OWASP DefectDojo SonarQubeParser/MSDefenderParser parser.py input_zip.read denial of service
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
A security vulnerability has been detected in OWASP DefectDojo up to 2.55.4. This vulnerability affects the function input_zip.read of the file parser.py of the component SonarQubeParser/MSDefenderParser. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.56.0 is able to resolve this issue. The identifier of the patch is e8f1e5131535b8fd80a7b1b3085d676295fdcd41. Upgrading the affected component is recommended.
| CWE | CWE-404 |
| Vendor | owasp |
| Product | defectdojo |
| Published | Mar 9, 2026 |
| Last Updated | Mar 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for owasp defectdojo
Be the first to know when new medium vulnerabilities affecting owasp defectdojo are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
OWASP / DefectDojo
2.55.0 2.55.1 2.55.2 2.55.3 2.55.4
References
vuldb.com: https://vuldb.com/?id.349782 vuldb.com: https://vuldb.com/?ctiid.349782 vuldb.com: https://vuldb.com/?submit.769524 github.com: https://github.com/henrrrychau/cve-bug-bounty/blob/main/dfdj_zip_bomb_dos_oom/dfdj_zip_bomb_dos_oom.md github.com: https://github.com/DefectDojo/django-DefectDojo/pull/14408 github.com: https://github.com/henrrrychau/cve-bug-bounty/blob/main/dfdj_zip_bomb_dos_oom/dfdj_zip_bomb_dos_oom.md#supporting-materialreferences github.com: https://github.com/DefectDojo/django-DefectDojo/commit/e8f1e5131535b8fd80a7b1b3085d676295fdcd41 github.com: https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.56.0
Credits
๐ h3nrrrych4u (VulDB User)