From 35cf4441cf3b3c527580b43631ff06d02e40918b Mon Sep 17 00:00:00 2001
From: Henrique Cabral <hocabral37@gmail.com>
Date: Wed, 4 Mar 2026 12:04:48 -0300
Subject: [PATCH 1/2] New Vuln: DoS in unstructured

---
 input/new.json | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/input/new.json b/input/new.json
index 87646b9a..2152d9b2 100644
--- a/input/new.json
+++ b/input/new.json
@@ -1,15 +1,24 @@
 {
-  "package_name": "",
-  "patch_versions": [],
-  "vulnerable_ranges": [],
-  "cwe": [],
-  "tldr": "",
-  "doest_this_affect_me": "",
-  "how_to_fix": "",
-  "vulnerable_to": "",
+  "package_name": "unstructured",
+  "patch_versions": [
+    "0.20.8"
+  ],
+  "vulnerable_ranges": [
+    [
+      "0.1.0",
+      "0.20.7"
+    ]
+  ],
+  "cwe": [
+    "CWE-770"
+  ],
+  "tldr": "Affected versions of this package allow decompression of base64+gzipped elements JSON without a strict size cap, enabling a maliciously crafted payload to inflate into extremely large data in memory or on disk. An attacker could exploit this by submitting a compressed payload that expands to hundreds of megabytes or more, triggering excessive memory allocation, filesystem consumption, or process crashes. It can lead to denial-of-service conditions during document ingestion or processing pipelines that deserialize these compressed element payloads.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `unstructured` library to a patch version.",
+  "vulnerable_to": "Allocation of Resources Without Limits or Throttling",
   "related_cve_id": "",
-  "language": "",
-  "severity_class": "",
-  "aikido_score": 0,
-  "changelog": ""
+  "language": "PYTHON",
+  "severity_class": "LOW",
+  "aikido_score": 30,
+  "changelog": "https://github.com/Unstructured-IO/unstructured/releases/tag/0.20.8"
 }

From 49f9d9d0ad33c55dff462d9643402fc36a07533b Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 5 Mar 2026 08:57:21 +0000
Subject: [PATCH 2/2] Move new vulnerability to
 vulnerabilities/AIKIDO-2026-10289.json and reset new.json template

---
 input/new.json                         | 33 ++++++++++----------------
 vulnerabilities/AIKIDO-2026-10289.json | 26 ++++++++++++++++++++
 2 files changed, 38 insertions(+), 21 deletions(-)
 create mode 100644 vulnerabilities/AIKIDO-2026-10289.json

diff --git a/input/new.json b/input/new.json
index 2152d9b2..87646b9a 100644
--- a/input/new.json
+++ b/input/new.json
@@ -1,24 +1,15 @@
 {
-  "package_name": "unstructured",
-  "patch_versions": [
-    "0.20.8"
-  ],
-  "vulnerable_ranges": [
-    [
-      "0.1.0",
-      "0.20.7"
-    ]
-  ],
-  "cwe": [
-    "CWE-770"
-  ],
-  "tldr": "Affected versions of this package allow decompression of base64+gzipped elements JSON without a strict size cap, enabling a maliciously crafted payload to inflate into extremely large data in memory or on disk. An attacker could exploit this by submitting a compressed payload that expands to hundreds of megabytes or more, triggering excessive memory allocation, filesystem consumption, or process crashes. It can lead to denial-of-service conditions during document ingestion or processing pipelines that deserialize these compressed element payloads.",
-  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
-  "how_to_fix": "Upgrade the `unstructured` library to a patch version.",
-  "vulnerable_to": "Allocation of Resources Without Limits or Throttling",
+  "package_name": "",
+  "patch_versions": [],
+  "vulnerable_ranges": [],
+  "cwe": [],
+  "tldr": "",
+  "doest_this_affect_me": "",
+  "how_to_fix": "",
+  "vulnerable_to": "",
   "related_cve_id": "",
-  "language": "PYTHON",
-  "severity_class": "LOW",
-  "aikido_score": 30,
-  "changelog": "https://github.com/Unstructured-IO/unstructured/releases/tag/0.20.8"
+  "language": "",
+  "severity_class": "",
+  "aikido_score": 0,
+  "changelog": ""
 }
diff --git a/vulnerabilities/AIKIDO-2026-10289.json b/vulnerabilities/AIKIDO-2026-10289.json
new file mode 100644
index 00000000..52de7a04
--- /dev/null
+++ b/vulnerabilities/AIKIDO-2026-10289.json
@@ -0,0 +1,26 @@
+{
+  "package_name": "unstructured",
+  "patch_versions": [
+    "0.20.8"
+  ],
+  "vulnerable_ranges": [
+    [
+      "0.1.0",
+      "0.20.7"
+    ]
+  ],
+  "cwe": [
+    "CWE-770"
+  ],
+  "tldr": "Affected versions of this package allow decompression of base64+gzipped elements JSON without a strict size cap, enabling a maliciously crafted payload to inflate into extremely large data in memory or on disk. An attacker could exploit this by submitting a compressed payload that expands to hundreds of megabytes or more, triggering excessive memory allocation, filesystem consumption, or process crashes. It can lead to denial-of-service conditions during document ingestion or processing pipelines that deserialize these compressed element payloads.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `unstructured` library to a patch version.",
+  "vulnerable_to": "Allocation of Resources Without Limits or Throttling",
+  "related_cve_id": "",
+  "language": "PYTHON",
+  "severity_class": "LOW",
+  "aikido_score": 30,
+  "changelog": "https://github.com/Unstructured-IO/unstructured/releases/tag/0.20.8",
+  "last_modified": "2026-03-05",
+  "published": "2026-03-05"
+}