These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-48497 is a medium-severity vulnerability affecting Envoy, an open-source edge and service proxy. The vulnerability occurs in the UDP DNS filter and can cause abnormal process termination when a query with a name of 255 octets is processed. This happens because the filter incorrectly assumes the query name must be strictly less than 255 octets, contradicting the DNS specification (RFC 1035). The i [truncated]
CVE-2026-48042 is a high-severity vulnerability affecting Envoy, an open-source edge and service proxy. The vulnerability occurs in the destructor of JSON objects, which can lead to a stack overflow when dealing with deeply nested objects, approximately 100,000 levels deep. This issue was addressed in Envoy versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1. The vulnerability has a CVSS score of 7.5 and is clas [truncated]
CVE-2026-47775 is a vulnerability in Envoy's OAuth2 HTTP filter. The encrypt()/decrypt() functions use AES-256-CBC without an authentication tag, creating a padding oracle. An attacker can recover the plaintext PKCE code_verifier in ~6,200 requests and exchange it for a stolen authorization code to obtain the victim's access token. This issue affects Envoy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1. [truncated]
CVE-2026-47774 is a high-severity vulnerability in Envoy's HTTP/2 downstream request processing. An unauthenticated remote client can trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. This issue arises from a combination of two behaviors: incomplete accounting of cookie header bytes during request header size validation and HPACK hea [truncated]
CVE-2026-22771 is a high-severity vulnerability in Envoy Gateway, a project for managing Envoy Proxy. The vulnerability allows EnvoyExtensionPolicy Lua scripts executed by Envoy proxy to leak the proxy's credentials. These credentials can be used to communicate with the control plane and gain access to all secrets used by Envoy proxy, including TLS private keys and credentials for downstream and upstream [truncated]
CVE-2023-35945 is publicly documented by CISA in a CSAF advisory for Schneider Electric EcoStruxure Power Operation (EPO). The supplied advisory ties the issue to EPO 2022 and EPO 2024 and describes a denial-of-service outcome driven by a memory leak/memory exhaustion condition. Because the affected product lines are industrial control system software, availability impact should be treated as operationall [truncated]