ninenines CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH ninenines CVE published 2026-05-11

CVE-2026-7790

CVE-2026-7790 is a denial-of-service issue in cowlib’s HTTP chunked transfer-encoding parser. The parser accepts an unbounded number of hex digits in the chunk-size field, which can force excessive CPU work and memory use while parsing. According to the advisory, a drip-fed request can make the cost even worse by causing the parser to restart its accumulated length on each partial read. This is a remotely [truncated]

LOW ninenines CVE published 2026-05-11

CVE-2026-43969

CVE-2026-43969 is a low-scoring but real header-injection issue in cowlib’s client-side Cookie header encoder. If an application passes attacker-controlled cookie names or values into cow_cookie:cookie/1, the serialized header can be manipulated to smuggle extra cookie data or inject CRLF-separated headers/request data.