Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-22739

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-26 Jan, 2023 | 08:45
Updated At-10 Mar, 2025 | 21:19
Rejected At-
Credits

Discourse subject to Allocation of Resources Without Limits or Throttling

Discourse is an open source platform for community discussion. Versions prior to 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed) are subject to Allocation of Resources Without Limits or Throttling. As there is no limit on data contained in a draft, a malicious user can create an arbitrarily large draft, forcing the instance to a crawl. This issue is patched in versions 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed). There are no workarounds.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:26 Jan, 2023 | 08:45
Updated At:10 Mar, 2025 | 21:19
Rejected At:
▼CVE Numbering Authority (CNA)
Discourse subject to Allocation of Resources Without Limits or Throttling

Discourse is an open source platform for community discussion. Versions prior to 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed) are subject to Allocation of Resources Without Limits or Throttling. As there is no limit on data contained in a draft, a malicious user can create an arbitrarily large draft, forcing the instance to a crawl. This issue is patched in versions 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed). There are no workarounds.

Affected Products
Vendor
Civilized Discourse Construction Kit, Inc.discourse
Product
discourse
Versions
Affected
  • stable < 3.0.1
  • beta < 3.1.0.beta2
  • tests-passed <3.1.0.beta2
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770: Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-770
Description: CWE-770: Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/discourse/discourse/security/advisories/GHSA-rqgr-g6v7-jcfc
x_refsource_CONFIRM
Hyperlink: https://github.com/discourse/discourse/security/advisories/GHSA-rqgr-g6v7-jcfc
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/discourse/discourse/security/advisories/GHSA-rqgr-g6v7-jcfc
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/discourse/discourse/security/advisories/GHSA-rqgr-g6v7-jcfc
Resource:
x_refsource_CONFIRM
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:26 Jan, 2023 | 21:18
Updated At:06 Feb, 2023 | 17:03

Discourse is an open source platform for community discussion. Versions prior to 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed) are subject to Allocation of Resources Without Limits or Throttling. As there is no limit on data contained in a draft, a malicious user can create an arbitrarily large draft, forcing the instance to a crawl. This issue is patched in versions 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed). There are no workarounds.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CPE Matches

Civilized Discourse Construction Kit, Inc.
discourse
>>discourse>>Versions before 3.0.1(exclusive)
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
Civilized Discourse Construction Kit, Inc.
discourse
>>discourse>>3.1.0
cpe:2.3:a:discourse:discourse:3.1.0:beta1:*:*:beta:*:*:*
Weaknesses
CWE IDTypeSource
CWE-770Primarysecurity-advisories@github.com
CWE ID: CWE-770
Type: Primary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/discourse/discourse/security/advisories/GHSA-rqgr-g6v7-jcfcsecurity-advisories@github.com
Third Party Advisory
Hyperlink: https://github.com/discourse/discourse/security/advisories/GHSA-rqgr-g6v7-jcfc
Source: security-advisories@github.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

294Records found

CVE-2023-22740
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.68% / 48.39%
||
7 Day CHG~0.00%
Published-27 Jan, 2023 | 00:39
Updated-10 Mar, 2025 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse vulnerable to Allocation of Resources Without Limits via Chat drafts

Discourse is an open source platform for community discussion. Versions prior to 3.1.0.beta1 (beta) (tests-passed) are vulnerable to Allocation of Resources Without Limits. Users can create chat drafts of an unlimited length, which can cause a denial of service by generating an excessive load on the server. Additionally, an unlimited number of drafts were loaded when loading the user. This issue has been patched in version 2.1.0.beta1 (beta) and (tests-passed). Users should upgrade to the latest version where a limit has been introduced. There are no workarounds available.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-40588
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.51% / 40.24%
||
7 Day CHG~0.00%
Published-15 Sep, 2023 | 19:23
Updated-24 Sep, 2024 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse DoS via 2FA and Security Key Names

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user could add a 2FA or security key with a carefully crafted name to their account and cause a denial of service for other users. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-68934
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 14.35%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 19:19
Updated-30 Jan, 2026 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse Has Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-41043
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.51% / 40.24%
||
7 Day CHG~0.00%
Published-15 Sep, 2023 | 19:27
Updated-24 Sep, 2024 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse DoS via SvgSprite cache

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious admin could create extremely large icons sprites, which would then be cached in each server process. This may cause server processes to be killed and lead to downtime. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. This is only a concern for multisite installations. No action is required when the admins are trusted.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-41042
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.51% / 39.98%
||
7 Day CHG~0.00%
Published-15 Sep, 2023 | 19:26
Updated-24 Sep, 2024 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse DoS via remote theme assets

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, importing a remote theme loads their assets into memory without enforcing limits for file size or number of files. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-38706
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.64% / 46.53%
||
7 Day CHG~0.00%
Published-15 Sep, 2023 | 19:22
Updated-24 Sep, 2024 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse vulnerable to DoS via drafts

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user can create an unlimited number of drafts with very long draft keys which may end up exhausting the resources on the server. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-38498
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.58% / 43.79%
||
7 Day CHG~0.00%
Published-28 Jul, 2023 | 15:18
Updated-10 Oct, 2024 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse vulnerable to DoS via defer queue

Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can prevent the defer queue from proceeding promptly on sites hosted in the same multisite installation. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability. Users of multisite configurations should upgrade.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-25167
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.57% / 43.25%
||
7 Day CHG~0.00%
Published-08 Feb, 2023 | 19:31
Updated-10 Mar, 2025 | 21:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Regular expression denial of service via installing themes via git in discourse

Discourse is an open source discussion platform. In affected versions a malicious user can cause a regular expression denial of service using a carefully crafted git URL. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this issue.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CVE-2023-36818
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.70% / 48.99%
||
7 Day CHG+0.11%
Published-14 Jul, 2023 | 21:16
Updated-18 Oct, 2024 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service via User Custom Sidebar Section Unlimited Link Creation in discourse

Discourse is an open source discussion platform. In affected versions a request to create or update custom sidebar section can cause a denial of service. This issue has been patched in commit `52b003d915`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-39232
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.98% / 58.38%
||
7 Day CHG~0.00%
Published-29 Sep, 2022 | 20:15
Updated-23 Apr, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse vulnerable to incomplete quote causing a topic to crash in the browser

Discourse is an open source discussion platform. Starting with version 2.9.0.beta5 and prior to version 2.9.0.beta10, an incomplete quote can generate a JavaScript error which will crash the current page in the browser in some cases. Version 2.9.0.beta10 added a fix and tests to ensure incomplete quotes won't break the app. As a workaround, the quote can be fixed via the rails console.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-20
Improper Input Validation
CVE-2024-53851
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.44% / 35.56%
||
7 Day CHG~0.00%
Published-04 Feb, 2025 | 21:16
Updated-26 Sep, 2025 | 13:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Partial denial of service via inline oneboxes in Discourse

Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This vulnerability is only exploitable by authenticated users. This issue has been patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade should turn off the `enable inline onebox on all domains` site setting and remove all entries from the `allowed inline onebox domains` site setting.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-23641
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.16% / 63.57%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 20:15
Updated-23 Apr, 2025 | 19:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in Discourse

Discourse is an open source discussion platform. In versions prior to 2.8.1 in the `stable` branch, 2.9.0.beta2 in the `beta` branch, and 2.9.0.beta2 in the `tests-passed` branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job trigger an infinite loop, which cause memory leaks. This issue is patched in version 2.8.1 of the `stable` branch, 2.9.0.beta2 of the `beta` branch, and 2.9.0.beta2 of the `tests-passed` branch. As a workaround, disable onebox in admin panel completely or specify allow list of domains that will be oneboxed.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2024-27085
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.57% / 43.35%
||
7 Day CHG~0.00%
Published-15 Mar, 2024 | 19:22
Updated-26 Aug, 2025 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service through invites in Discourse

Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable invites or restrict access to them using the `invite allowed groups` site setting.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-27100
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.56% / 42.61%
||
7 Day CHG~0.00%
Published-15 Mar, 2024 | 19:21
Updated-26 Aug, 2025 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service via Staff Actions in Discourse

Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren't enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-23548
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.73% / 50.33%
||
7 Day CHG~0.00%
Published-05 Jan, 2023 | 00:00
Updated-10 Mar, 2025 | 21:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CVE-2024-36113
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.42% / 33.88%
||
7 Day CHG~0.00%
Published-03 Jul, 2024 | 19:07
Updated-18 Sep, 2024 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse missing authorization checks for suspending admins/moderators

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch, a rogue staff user could suspend other staff users preventing them from logging in to the site. The issue is patched in version 3.2.3 on the `stable` branch, version 3.3.0.beta3 on the `beta` branch, and version 3.3.0.beta4-dev on the `tests-passed` branch. No known workarounds are available.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-862
Missing Authorization
CVE-2022-23549
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.57% / 43.61%
||
7 Day CHG~0.00%
Published-05 Jan, 2023 | 00:00
Updated-10 Mar, 2025 | 21:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse vulnerable to bypass of post max_length using HTML comments

Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-20
Improper Input Validation
CVE-2023-28107
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.5||MEDIUM
EPSS-0.65% / 47.13%
||
7 Day CHG~0.00%
Published-17 Mar, 2023 | 16:23
Updated-25 Feb, 2025 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse vulnerable to multisite DoS by spamming backups

Discourse is an open-source discussion platform. Prior to version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches, a user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a site using multisite, then it can affect the whole cluster. The vulnerability is patched in version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-48053
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.32% / 23.58%
||
7 Day CHG~0.00%
Published-09 Jun, 2025 | 12:30
Updated-25 Sep, 2025 | 20:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse vulnerable to DoS via large URL payload in PM to a bot

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, sending a malicious URL in a PM to a bot user can cause a reduced the availability of a Discourse instance. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. No known workarounds are available.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-46159
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.60% / 45.00%
||
7 Day CHG~0.00%
Published-02 Dec, 2022 | 14:15
Updated-23 Apr, 2025 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Any authenticated Discourse user can create an unlisted topic

Discourse is an open-source discussion platform. In version 2.8.13 and prior on the `stable` branch and version 2.9.0.beta14 and prior on the `beta` and `tests-passed` branches, any authenticated user can create an unlisted topic. These topics, which are not readily available to other users, can take up unnecessary site resources. A patch for this issue is available in the `main` branch of Discourse. There are no known workarounds available.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-41921
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-3.5||LOW
EPSS-0.50% / 39.68%
||
7 Day CHG~0.00%
Published-28 Nov, 2022 | 00:00
Updated-23 Apr, 2025 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse chat messages should have a maximum character limit

Discourse is an open-source discussion platform. Prior to version 2.9.0.beta13, users can post chat messages of an unlimited length, which can cause a denial of service for other users when posting huge amounts of text. Users should upgrade to version 2.9.0.beta13, where a limit has been introduced. No known workarounds are available.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-31184
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.57% / 43.46%
||
7 Day CHG~0.00%
Published-01 Aug, 2022 | 19:40
Updated-23 Apr, 2025 | 17:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Email activation route can be abused by spammers in Discourse

Discourse is the an open source discussion platform. In affected versions an email activation route can be abused to send mass spam emails. A fix has been included in the latest stable, beta and tests-passed versions of Discourse which rate limits emails. Users are advised to upgrade. Users unable to upgrade should manually rate limit email.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-21658
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 28.46%
||
7 Day CHG~0.00%
Published-30 Aug, 2024 | 17:18
Updated-05 Sep, 2024 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient control of region value length in discourse-calendar

discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discourse_calendardiscourse-calendar
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-21655
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.57% / 43.21%
||
7 Day CHG~0.00%
Published-12 Jan, 2024 | 20:46
Updated-03 Jun, 2025 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient control of custom field value sizes

Discourse is a platform for community discussion. For fields that are client editable, limits on sizes are not imposed. This allows a malicious actor to cause a Discourse instance to use excessive disk space and also often excessive bandwidth. The issue is patched 3.1.4 and 3.2.0.beta4.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-47120
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.98% / 58.34%
||
7 Day CHG~0.00%
Published-10 Nov, 2023 | 15:09
Updated-03 Sep, 2024 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse DoS through Onebox favicon URL

Discourse is an open source platform for community discussion. In versions 3.1.0 through 3.1.2 of the `stable` branch and versions 3.1.0,beta6 through 3.2.0.beta2 of the `beta` and `tests-passed` branches, Redis memory can be depleted by crafting a site with an abnormally long favicon URL and drafting multiple posts which Onebox it. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-46130
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.70% / 49.12%
||
7 Day CHG~0.00%
Published-10 Nov, 2023 | 14:54
Updated-03 Sep, 2024 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bypassing height value allowed in some theme components

Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, some theme components allow users to add svgs with unlimited `height` attributes, and this can affect the availability of subsequent replies in a topic. Most Discourse instances are unaffected, only instances with the svgbob or the mermaid theme component are within scope. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. As a workaround, disable or remove the relevant theme components.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-38684
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.53% / 41.30%
||
7 Day CHG~0.00%
Published-28 Jul, 2023 | 15:25
Updated-10 Oct, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse vulnerable to ossible DDoS due to unbounded limits in various controller actions

Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, in multiple controller actions, Discourse accepts limit params but does not impose any upper bound on the values being accepted. Without an upper bound, the software may allow arbitrary users to generate DB queries which may end up exhausting the resources on the server. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-37906
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.45% / 36.39%
||
7 Day CHG~0.00%
Published-28 Jul, 2023 | 15:13
Updated-10 Oct, 2024 | 16:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse vulnerable to DoS via post edit reason

Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can edit a post in a topic and cause a DoS with a carefully crafted edit reason. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-39226
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.80% / 52.68%
||
7 Day CHG~0.00%
Published-29 Sep, 2022 | 20:05
Updated-23 Apr, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse user profile location and website fields were not sufficiently length-limited

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a malicious actor can add large payloads of text into the Location and Website fields of a user profile, which causes issues for other users when loading that profile. A fix to limit the length of user input for these fields is included in version 2.8.9 on the `stable` branch and version 2.9.0.beta10 on the `beta` and `tests-passed` branches. There are no known workarounds.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-68659
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.32%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 18:51
Updated-30 Jan, 2026 | 20:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse has DoS vulnerability in username change endpoint

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-57708
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-2.3||LOW
EPSS-0.45% / 36.22%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 12:17
Updated-12 Feb, 2026 | 14:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-6509
Matching Score-4
Assigner-Axis Communications AB
ShareView Details
Matching Score-4
Assigner-Axis Communications AB
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 31.40%
||
7 Day CHG~0.00%
Published-10 Sep, 2024 | 04:58
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Action-Not Available
Vendor-Axis Communications AB
Product-AXIS OS
CWE ID-CWE-155
Improper Neutralization of Wildcards or Matching Symbols
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-3566
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-1.37% / 68.75%
||
7 Day CHG~0.00%
Published-08 Jul, 2023 | 17:31
Updated-02 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wallabag Profile Config config allocation of resources

A vulnerability was found in wallabag 2.5.4. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /config of the component Profile Config. The manipulation of the argument Name leads to allocation of resources. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-233359. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-wallabagn/a
Product-wallabagwallabag
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-55670
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-7.1||HIGH
EPSS-0.29% / 20.52%
||
7 Day CHG~0.00%
Published-15 Oct, 2025 | 13:55
Updated-26 Feb, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BIG-IP Next (CNF, SPK, and Kubernetes) vulnerability

On BIG-IP Next CNF, BIG-IP Next SPK, and BIG-IP Next for Kubernetes systems, repeated undisclosed API calls can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-F5, Inc.
Product-big-ip_next_for_kubernetesbig-ip_next_service_proxy_for_kubernetesbig-ip_next_cloud-native_network_functionsBIG-IP Next CNFBIG-IP Next SPKBIG-IP Next for Kubernetes
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-53410
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.45% / 36.50%
||
7 Day CHG~0.00%
Published-07 Nov, 2025 | 15:14
Updated-14 Nov, 2025 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Station 5

An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-file_stationFile Station 5
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-53409
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.45% / 36.50%
||
7 Day CHG~0.00%
Published-07 Nov, 2025 | 15:14
Updated-14 Nov, 2025 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Station 5

An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-file_stationFile Station 5
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-34149
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-4.3||MEDIUM
EPSS-5.40% / 91.79%
||
7 Day CHG~0.00%
Published-14 Jun, 2023 | 07:48
Updated-13 Feb, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Struts: DoS via OOM owing to not properly checking of list bounds

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.

Action-Not Available
Vendor-The Apache Software Foundation
Product-strutsApache Struts
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-34389
Matching Score-4
Assigner-Schweitzer Engineering Laboratories, Inc.
ShareView Details
Matching Score-4
Assigner-Schweitzer Engineering Laboratories, Inc.
CVSS Score-4.5||MEDIUM
EPSS-0.66% / 47.63%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 16:54
Updated-02 Dec, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of resources without limits could lead to denial of service

An allocation of resources without limits or throttling vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote authenticated attacker to make the system unavailable for an indefinite amount of time. See product Instruction Manual Appendix A dated 20230830 for more details.

Action-Not Available
Vendor-Schweitzer Engineering Laboratories, Inc. (SEL)
Product-sel-451sel-451_firmwareSEL-451
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-29770
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.42% / 34.17%
||
7 Day CHG~0.00%
Published-19 Mar, 2025 | 15:31
Updated-31 Jul, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vLLM denial of service via outlines unbounded cache on disk

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. The outlines library is one of the backends used by vLLM to support structured output (a.k.a. guided decoding). Outlines provides an optional cache for its compiled grammars on the local filesystem. This cache has been on by default in vLLM. Outlines is also available by default through the OpenAI compatible API server. The affected code in vLLM is vllm/model_executor/guided_decoding/outlines_logits_processors.py, which unconditionally uses the cache from outlines. A malicious user can send a stream of very short decoding requests with unique schemas, resulting in an addition to the cache for each request. This can result in a Denial of Service if the filesystem runs out of space. Note that even if vLLM was configured to use a different backend by default, it is still possible to choose outlines on a per-request basis using the guided_decoding_backend key of the extra_body field of the request. This issue applies only to the V0 engine and is fixed in 0.8.0.

Action-Not Available
Vendor-vllmvllm-project
Product-vllmvllm
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-32481
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-4.9||MEDIUM
EPSS-0.50% / 39.35%
||
7 Day CHG~0.00%
Published-20 Jul, 2023 | 11:26
Updated-17 Oct, 2024 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Wyse Management Suite versions prior to 4.0 contain a denial-of-service vulnerability. An authenticated malicious user can flood the configured SMTP server with numerous requests in order to deny access to the system.

Action-Not Available
Vendor-Dell Inc.
Product-wyse_management_suiteWyse Management Suite
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-32699
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.59% / 44.15%
||
7 Day CHG~0.00%
Published-30 May, 2023 | 18:59
Updated-10 Jan, 2025 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MeterSphere denial of service vulnerability

MeterSphere is an open source continuous testing platform. Version 2.9.1 and prior are vulnerable to denial of service. ​The `checkUserPassword` method is used to check whether the password provided by the user matches the password saved in the database, and the `CodingUtil.md5` method is used to encrypt the original password with MD5 to ensure that the password will not be saved in plain text when it is stored. If a user submits a very long password when logging in, the system will be forced to execute the long password MD5 encryption process, causing the server CPU and memory to be exhausted, thereby causing a denial of service attack on the server. This issue is fixed in version 2.10.0-lts with a maximum password length.

Action-Not Available
Vendor-MeterSphere (FIT2CLOUD Inc.)
Product-meterspheremetersphere
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-2853
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.41% / 33.13%
||
7 Day CHG~0.00%
Published-22 May, 2025 | 13:30
Updated-29 May, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of proper validation in GitLab could allow an authenticated user to cause a denial of service condition.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-52867
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-6||MEDIUM
EPSS-0.39% / 30.96%
||
7 Day CHG~0.00%
Published-03 Oct, 2025 | 18:14
Updated-08 Oct, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-5253
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 31.34%
||
7 Day CHG~0.00%
Published-25 Jul, 2025 | 11:27
Updated-05 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DoS in Kron Technologies' Kron PAM

Allocation of Resources Without Limits or Throttling vulnerability in Kron Technologies Kron PAM allows HTTP DoS. This issue affects Kron PAM: before 3.7.

Action-Not Available
Vendor-Kron Technologies
Product-Kron PAM
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-30443
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.48% / 38.09%
||
7 Day CHG+0.01%
Published-19 Dec, 2024 | 01:04
Updated-31 Jan, 2025 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Db2 denial of service

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted query.

Action-Not Available
Vendor-Microsoft CorporationHP Inc.IBM CorporationLinux Kernel Organization, IncOracle Corporation
Product-hp-uxwindowssolarisaixlinux_kerneldb2Db2 for Linux, UNIX and Windows
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-50172
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.40% / 69.38%
||
7 Day CHG+0.09%
Published-12 Aug, 2025 | 17:10
Updated-13 Feb, 2026 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DirectX Graphics Kernel Denial of Service Vulnerability

Allocation of resources without limits or throttling in Windows DirectX allows an authorized attacker to deny service over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_23h2windows_10_22h2windows_server_2019windows_server_2022windows_server_2022_23h2windows_10_1809windows_10_21h2windows_server_2025windows_11_24h2windows_11_22h2Windows Server 2025Windows Server 2022Windows 11 Version 24H2Windows Server 2025 (Server Core installation)Windows 11 Version 23H2Windows Server 2019 (Server Core installation)Windows 10 Version 1809Windows 11 version 22H2Windows 10 Version 21H2Windows Server 2022, 23H2 Edition (Server Core installation)Windows 11 version 22H3Windows 10 Version 22H2Windows Server 2019
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-27492
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.69% / 48.52%
||
7 Day CHG~0.00%
Published-04 Apr, 2023 | 18:34
Updated-11 Feb, 2025 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Envoy may crash when a large request body is processed in Lua filter

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter is vulnerable to denial of service. Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. As of versions versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy no longer invokes the Lua coroutine if the filter has been reset. As a workaround for those whose Lua filter is buffering all requests/ responses, mitigate by using the buffer filter to avoid triggering the local reply in the Lua filter.

Action-Not Available
Vendor-envoyproxyenvoyproxy
Product-envoyenvoy
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-5573
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.7||MEDIUM
EPSS-0.54% / 42.00%
||
7 Day CHG~0.00%
Published-13 Oct, 2023 | 09:56
Updated-17 Sep, 2024 | 13:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of Resources Without Limits or Throttling in vriteio/vrite

Allocation of Resources Without Limits or Throttling in GitHub repository vriteio/vrite prior to 0.3.0.

Action-Not Available
Vendor-vritevriteio
Product-vritevriteio/vrite
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-25822
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.51% / 40.18%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 13:13
Updated-19 Sep, 2024 | 13:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ReportPortal DoS vulnerability on creating a Launch with too many recursively nested elements

ReportPortal is an AI-powered test automation platform. Prior to version 5.10.0 of the `com.epam.reportportal:service-api` module, corresponding to ReportPortal version 23.2, the ReportPortal database becomes unstable and reporting almost fully stops except for small launches with approximately 1 test inside when the test_item.path field is exceeded the allowable `ltree` field type indexing limit (path length>=120, approximately recursive nesting of the nested steps). REINDEX INDEX path_gist_idx and path_idx aren't helped. The problem was fixed in `com.epam.reportportal:service-api` module version 5.10.0 (product release 23.2), where the maximum number of nested elements were programmatically limited. A workaround is available. After deletion of the data with long paths, and reindexing both indexes (path_gist_idx and path_idx), the database becomes stable and ReportPortal works properly.

Action-Not Available
Vendor-reportportalreportportal
Product-reportportalservice-apireportportal
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-47793
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.66% / 47.56%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 14:31
Updated-08 Sep, 2025 | 21:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nextcloud Server and Groupfolders app vulnerable to bypass of group folder quota limit using attachment in text file

Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides admin-configured folders shared by everyone in a group or team. In Nextcloud Server prior to 30.0.2, 29.0.9, and 28.0.1, Nextcloud Enterprise Server prior to 30.0.2 and 29.0.9, and Nextcloud Groupfolders app prior to 18.0.3, 17.0.5, and 16.0.11, the absence of quota checking on attachments allowed logged-in users to upload files exceeding the group folder quota. Nextcloud Server versions 30.0.2 and 29.0.9, Nextcloud Enterprise Server versions 30.0.2, 29.0.9, or 28.0.12, and Nextcloud Groupfolders app 18.0.3, 17.0.5, and 16.0.11 fix the issue. No known workarounds are available.

Action-Not Available
Vendor-Nextcloud GmbH
Product-group_foldersnextcloud_serversecurity-advisories
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found