{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "0.89.3" } ] }, "events": [ { "introduced": "0" }, { "fixed": "f8fb007c4c765dd0a4961f81846e6f27629dcd28" } ], "repo": "https://github.com/salvo-rs/salvo", "type": "GIT" } ] } ], "aliases": [ "GHSA-pp9r-xg4c-8j4x" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-770" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33241.json" }, "details": "Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch.", "id": "CVE-2026-33241", "modified": "2026-04-01T23:08:01.461211750Z", "published": "2026-03-23T23:41:50.533Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33241.json" }, { "type": "WEB", "url": "https://github.com/salvo-rs/salvo/releases/tag/v0.89.3" }, { "type": "ADVISORY", "url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33241" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing" }