{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25577", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-03T01:02:46.714Z", "datePublished": "2026-02-10T17:01:26.622Z", "dateUpdated": "2026-02-11T15:33:08.561Z"}, "containers": {"cna": {"title": "Emmett has an Unhandled CookieError Exception Causing Denial of Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-248", "lang": "en", "description": "CWE-248: Uncaught Exception", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76"}, {"name": "https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec", "tags": ["x_refsource_MISC"], "url": "https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec"}], "affected": [{"vendor": "emmett-framework", "product": "core", "versions": [{"version": "< 1.3.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-10T17:01:26.622Z"}, "descriptions": [{"lang": "en", "value": "Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11."}], "source": {"advisory": "GHSA-x6cr-mq53-cc76", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:33:01.074738Z", "id": "CVE-2026-25577", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:33:08.561Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25577", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T15:33:01.074738Z"}}}], "references": [{"url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:32:48.921Z"}}], "cna": {"title": "Emmett has an Unhandled CookieError Exception Causing Denial of Service", "source": {"advisory": "GHSA-x6cr-mq53-cc76", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "emmett-framework", "product": "core", "versions": [{"status": "affected", "version": "< 1.3.11"}]}], "references": [{"url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76", "name": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec", "name": "https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-248", "description": "CWE-248: Uncaught Exception"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-10T17:01:26.622Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25577", "state": "PUBLISHED", "dateUpdated": "2026-02-11T15:33:08.561Z", "dateReserved": "2026-02-03T01:02:46.714Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-10T17:01:26.622Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11."}, {"lang": "es", "value": "Emmett es un framework dise\u00f1ado para simplificar su proceso de desarrollo. Antes de 1.3.11, la propiedad cookies en mmett_core.http.wrappers.Request no gestiona las excepciones CookieError al analizar encabezados Cookie malformados. Esto permite a atacantes no autenticados activar errores HTTP 500 y causar denegaci\u00f3n de servicio. Esta vulnerabilidad est\u00e1 corregida en 1.3.11."}], "id": "CVE-2026-25577", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-10T18:16:37.290", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec"}, {"source": "security-advisories@github.com", "url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-248"}, {"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.11)"}}], "product": "core", "vendor": "emmett-framework"}], "analysis": {"en": {"generated_at": "2026-04-17T20:45:47.879736+00:00", "value": {"mitigation_remediation": ["Upgrade the Emmett framework to version 1.3.11 or later to apply the vendor\u2011provided fix.", "If an immediate upgrade is not possible, modify the request handling code to catch and properly process CookieError exceptions, returning a safe error response instead of a 500 status.", "Additionally, implement input validation or filtering on Cookie headers to reject malformed values, and consider rate limiting or temporary blocking of IPs that repeatedly trigger 500 errors to mitigate denial\u2011of\u2011service attacks."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issued product is Emmett framework core, with all installations running a version older than 1.3.11 affected. The issue is not tied to any authenticated context, meaning any external user can exploit it by sending a crafted HTTP request containing invalid cookies.", "description_and_impact": "This vulnerability manifests as an unhandled CookieError exception when the Emmett framework parses a malformed Cookie header. The resulting 500 Internal Server Error is returned to the client, continuously exhausting server resources and effectively denying service. The flaw is due to improper exception handling in the request wrapper, which is classified as CWE-248 and CWE-307.", "risk_and_exploitability": "With a CVSS score of 7.5, the exploit has high severity. The EPSS score indicates that active exploitation is expected to be low, and it is not currently listed in the CISA KEV catalog. The attack vector inferred from the description is remote, as the vulnerability is triggered by external HTTP traffic that submits malformed cookies. Since no authentication or privileged access is required, the exposure is broad."}}}}, "created": "2026-02-12T09:40:07.039031+00:00", "updated": "2026-04-17T21:00:12.678821+00:00", "vendors": ["emmett-framework", "emmett-framework$PRODUCT$core"]}