CVE-2026-3816 - Vulnerability Analysis
MediumCVSS: 4.3Last Updated: March 10, 2026
OWASP DefectDojo - Denial of Service
Published: March 9, 2026Updated: March 10, 2026PoC AvailableRemote Exploitable
Overview
OWASP DefectDojo <= 2.55.4 contains a denial of service caused by manipulation of input_zip.read in SonarQubeParser/MSDefenderParser, letting remote attackers cause service disruption, exploit requires no special privileges.
Severity & Score
Severity: Medium
CVSS Score: 4.3
Impact
Remote attackers can cause denial of service, disrupting application availability.
Mitigation
Upgrade to version 2.56.0.
References
- https://vuldb.com/?ctiid.349782
- https://vuldb.com/?id.349782
- https://vuldb.com/?submit.769524
- https://github.com/DefectDojo/django-DefectDojo/commit/e8f1e5131535b8fd80a7b1b3085d676295fdcd41
- https://github.com/DefectDojo/django-DefectDojo/pull/14408
- https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.56.0
- https://github.com/henrrrychau/cve-bug-bounty/blob/main/dfdj_zip_bomb_dos_oom/dfdj_zip_bomb_dos_oom.md
- https://github.com/henrrrychau/cve-bug-bounty/blob/main/dfdj_zip_bomb_dos_oom/dfdj_zip_bomb_dos_oom.md#supporting-materialreferences
Related Resources
Details
- CVE ID
- CVE-2026-3816
- Severity
- Medium
- CVSS Score
- 4.3
- Type
- denial_of_service
- Status
- confirmed
CWE
- CWE-404
- CWE-1284
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L