CVE-2026-43507

< 0.12.6

An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory

5.3MEDIUM

CVE-2026-43506

< 0.12.6

An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory

5.3MEDIUM

CVE-2026-43505

< 0.12.6

An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_

6.5MEDIUM

CVE-2026-43504

< 0.12.6

An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_

6.5MEDIUM

CVE-2022-0217

< 0.11.12

It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allow

7.5HIGH

CVE-2021-37601

>= 0.11.0 and <= 0.11.9

muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, own

7.5HIGH

CVE-2021-32921

< 0.11.9

An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings w

5.9MEDIUM

CVE-2021-32920

< 0.11.9

Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.

7.5HIGH

CVE-2021-32919

>= 0.10.0 and < 0.11.9

An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an exp

7.5HIGH

CVE-2021-32918

< 0.11.9

An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (Do

7.5HIGH

CVE-2021-32917

< 0.11.9

An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the user

5.3MEDIUM

CVE-2020-8086

<= 2020-01-27

The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed

9.8CRITICAL

CVE-2018-10847

< 0.9.14

prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host ass

4.2MEDIUM

CVE-2017-18265

< 0.10.0

Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with

7.5HIGH

CVE-2016-0756

<= 0.9.9

The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generati

5.3MEDIUM

CVE-2016-1232

<= 0.9.8

The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server

7.5HIGH

CVE-2016-1231

all versions

Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote att

5.9MEDIUM

CVE-2014-2745

<= 0.9.3

Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause

CVE-2014-2744

<= 0.9.3

plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression whi

CVE-2011-2532

all versions

The json.decode function in util/json.lua in Prosody 0.8.x before 0.8.1 might allow remote attackers to cause a denial of service

CVE-2011-2531

all versions

Prosody 0.8.x before 0.8.1, when MySQL is used, assigns an incorrect data type to the value column in certain tables, which might

CVE-2011-2205

<= 0.8.0

Prosody before 0.8.1 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial o