CVE-2026-5233: Missing Rate Limiting in Mia Technologies' Pizzy Library
Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- 1.3.9.26250
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Missing rate limiting in MIA Technology Inc.'s Pizzy Library allows an authenticated attacker to flood the service over the network. The vulnerability requires a low-privilege account but no victim interaction, and is reliably exploitable without special conditions. Successful exploitation allows the attacker to cause a denial of service, crashing or severely degrading the affected service, while also enabling limited data tampering. A patched-image rebuild at version 1.3.9.26250 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-5233 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built images that bundle the Pizzy Library.
AvailableHarborGuard scores this CVE at 7.1 HIGH using the CVSS v3.1 vector and can weight that score against each environment's compliance policy to route alerts to the appropriate team or inbox within the customer organization.
AvailableA patched-image rebuild at Pizzy Library version 1.3.9.26250 is available on HarborGuard for any environment found running an affected release (1.0.0.26250 through earlier than 1.3.9.26250). For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Pizzy Library service over the network; the attack vector is remote (AV:N).
- AuthenticationRequired
The attacker must hold a valid low-privilege account on the target system; no elevated or admin credentials are required (PR:L).
- Victim interactionNot required
No user or operator action is needed to trigger the vulnerability; the attacker acts entirely on their own (UI:N).
- Attack complexityDetail
Exploitation is reliable and condition-free, requiring no race conditions or special environmental setup (AC:L).
Blast Radius
- Crashes or severely degrades the Pizzy Library service, making it unavailable to legitimate callers.
- Allows limited writes or modifications to data handled by the library (integrity impact: low).
- Downstream services or clients depending on the Pizzy Library endpoint experience sustained outage for the duration of a flood attack.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE-2026-5233 publication for any image containing a Pizzy Library build in the range 1.0.0.26250 to 1.3.9.26250. Where compliance policy permits, a rebuilt image pinned to the fixed version 1.3.9.26250 becomes available immediately after detection; for customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in auto-remediation-enabled environments. Customers who manage remediation manually will see the finding in their HarborGuard dashboard with a direct reference to the fix version, CVSS scoring, and policy-weighted priority to support their own patching workflow.
Fix available
- MIA Technology Inc. / Pizzy Library< 1.3.9.26250 (from 1.0.0.26250)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H