Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-58368

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-18 Jul, 2026 | 13:10
Updated At-18 Jul, 2026 | 13:10
Rejected At-
Credits

SurrealDB before 1.1.0 Denial of Service via HTTP Headers

SurrealDB versions before 1.1.0 fail to properly parse the ID, DB, and NS headers in HTTP REST API requests containing special characters. Unauthenticated attackers can send crafted HTTP requests with malformed header values to trigger an uncaught exception that crashes the server.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:18 Jul, 2026 | 13:10
Updated At:18 Jul, 2026 | 13:10
Rejected At:
â–¼CVE Numbering Authority (CNA)
SurrealDB before 1.1.0 Denial of Service via HTTP Headers

SurrealDB versions before 1.1.0 fail to properly parse the ID, DB, and NS headers in HTTP REST API requests containing special characters. Unauthenticated attackers can send crafted HTTP requests with malformed header values to trigger an uncaught exception that crashes the server.

Affected Products
Vendor
surrealdb
Product
surrealdb
Default Status
unaffected
Versions
Affected
  • From 0 before 1.1.0 (semver)
Unaffected
  • 1.1.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-248Uncaught Exception
Type: CWE
CWE ID: CWE-248
Description: Uncaught Exception
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Tu0Laj1
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/surrealdb/surrealdb/security/advisories/GHSA-m24x-r6q3-2vp9
vendor-advisory
https://www.vulncheck.com/advisories/surrealdb-before-denial-of-service-via-http-headers
third-party-advisory
Hyperlink: https://github.com/surrealdb/surrealdb/security/advisories/GHSA-m24x-r6q3-2vp9
Resource:
vendor-advisory
Hyperlink: https://www.vulncheck.com/advisories/surrealdb-before-denial-of-service-via-http-headers
Resource:
third-party-advisory
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:18 Jul, 2026 | 14:17
Updated At:18 Jul, 2026 | 14:17

SurrealDB versions before 1.1.0 fail to properly parse the ID, DB, and NS headers in HTTP REST API requests containing special characters. Unauthenticated attackers can send crafted HTTP requests with malformed header values to trigger an uncaught exception that crashes the server.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-248Primarydisclosure@vulncheck.com
CWE ID: CWE-248
Type: Primary
Source: disclosure@vulncheck.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/surrealdb/surrealdb/security/advisories/GHSA-m24x-r6q3-2vp9disclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/surrealdb-before-denial-of-service-via-http-headersdisclosure@vulncheck.com
N/A
Hyperlink: https://github.com/surrealdb/surrealdb/security/advisories/GHSA-m24x-r6q3-2vp9
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/surrealdb-before-denial-of-service-via-http-headers
Source: disclosure@vulncheck.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

110Records found

CVE-2024-58357
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:10
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurrealDB before 2.1.0 Denial of Service via rand::time()

SurrealDB versions before 2.1.0 contain an uncaught exception vulnerability in the rand::time() function that panics when unwrap is called on a None result from timestamp_opt. Authorized clients can repeatedly invoke rand::time() to reliably trigger server panics and cause denial of service.

Action-Not Available
Vendor-surrealdb
Product-surrealdb
CWE ID-CWE-248
Uncaught Exception
CVE-2024-58358
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:10
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurrealDB before 2.1.0 Denial of Service via Nonexistent Role

SurrealDB versions before 2.1.0 contain a denial of service vulnerability in role conversion that allows privileged owner users to define users with nonexistent roles. Attackers can trigger an uncaught panic by signing in with a user assigned an invalid role, crashing the server.

Action-Not Available
Vendor-surrealdb
Product-surrealdb
CWE ID-CWE-248
Uncaught Exception
CVE-2024-58359
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:10
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurrealDB before 2.1.0 Denial of Service via rand() Sorting

SurrealDB versions before 2.1.0 contain a denial of service vulnerability in the sorting mechanism when using ORDER BY rand() clause. Authorized clients can execute queries with ORDER BY rand() to trigger a panic in the sorting function, crashing the server.

Action-Not Available
Vendor-surrealdb
Product-surrealdb
CWE ID-CWE-248
Uncaught Exception
CVE-2024-58361
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:10
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurrealDB before 2.0.4 Denial of Service via Parser Exception

SurrealDB versions before 2.0.4 contain an uncaught exception handling vulnerability in the parser error rendering code when processing empty strings. Authorized clients can execute malformed queries with empty string conversions to record, duration, or datetime types that cause a panic in error rendering, crashing the server.

Action-Not Available
Vendor-surrealdb
Product-surrealdb
CWE ID-CWE-248
Uncaught Exception
CVE-2024-58364
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:10
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurrealDB before 1.2.1 Denial of Service via Parsing Error

SurrealDB versions before 1.2.1 contain an uncaught exception handling vulnerability in span rendering when parsing queries with errors on line terminator characters. Authorized clients can submit malformed queries that trigger a panic in the span rendering code, crashing the server and causing denial of service.

Action-Not Available
Vendor-surrealdb
Product-surrealdb
CWE ID-CWE-248
Uncaught Exception
CVE-2024-58365
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:10
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurrealDB before 1.2.0 Denial of Service via Nonexistent Function

SurrealDB versions before 1.2.0 contain an uncaught exception vulnerability in the query executor when processing calls to nonexistent built-in functions. Authorized clients can craft pre-parsed queries invoking nonexistent functions to trigger a panic that crashes the server.

Action-Not Available
Vendor-surrealdb
Product-surrealdb
CWE ID-CWE-248
Uncaught Exception
CVE-2024-58369
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:10
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurrealDB before 1.1.1 Denial of Service via Global Parameters

SurrealDB versions before 1.1.1 fail to properly validate invocation of custom parameters and functions at root or namespace levels, causing server panic. Authorized clients can invoke these entities at unsupported levels to crash the SurrealDB server, resulting in denial of service.

Action-Not Available
Vendor-surrealdb
Product-surrealdb
CWE ID-CWE-248
Uncaught Exception
CVE-2025-71391
Matching Score-6
Assigner-VulnCheck
ShareView Details
Matching Score-6
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:10
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurrealDB before 2.2.2 Denial of Service via /sql endpoint

SurrealDB versions before 2.2.2 contain an uncaught exception vulnerability in the net module that allows authenticated users to crash the database. Attackers can send crafted HTTP queries containing null bytes to the /sql endpoint, causing an unhandled exception that crashes the SurrealDB instance and any dependent applications.

Action-Not Available
Vendor-surrealdb
Product-surrealdb
CWE ID-CWE-248
Uncaught Exception
CVE-2024-3051
Matching Score-4
Assigner-Silicon Labs
ShareView Details
Matching Score-4
Assigner-Silicon Labs
CVSS Score-7.5||HIGH
EPSS-0.48% / 38.05%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 21:26
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Z/IP Gateway Device Reset Locally Denial of Service Vulnerability

Malformed Device Reset Locally command classes can be sent to temporarily deny service to an end device. Any frames sent by the end device will not be acknowledged by the gateway during this time.

Action-Not Available
Vendor-silabs.comsilabs
Product-Z/IP Gateway SDKz\/ip_gateway_sdk
CWE ID-CWE-248
Uncaught Exception
CWE ID-CWE-419
Unprotected Primary Channel
CVE-2023-23932
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.74% / 50.39%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 20:08
Updated-10 Mar, 2025 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Specially crafted RTPS message may cause an OpenDDS application to crash

OpenDDS is an open source C++ implementation of the Object Management Group (OMG) Data Distribution Service (DDS). OpenDDS applications that are exposed to untrusted RTPS network traffic may crash when parsing badly-formed input. This issue has been patched in version 3.23.1.

Action-Not Available
Vendor-objectcomputingOpenDDS
Product-openddsOpenDDS
CWE ID-CWE-248
Uncaught Exception
CVE-2023-22477
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-1.06% / 60.62%
||
7 Day CHG~0.00%
Published-09 Jan, 2023 | 14:12
Updated-10 Mar, 2025 | 21:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mercurius is vulnerable to denial of service (DoS) when using subscriptions

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions.

Action-Not Available
Vendor-mercurius_projectmercurius-js
Product-mercuriusmercurius
CWE ID-CWE-248
Uncaught Exception
CVE-2024-23325
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.75% / 50.85%
||
7 Day CHG~0.00%
Published-09 Feb, 2024 | 22:47
Updated-27 Aug, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Envoy crashes when using an address type that isn’t supported by the OS

Envoy is a high-performance edge/middle/service proxy. Envoy crashes in Proxy protocol when using an address type that isn’t supported by the OS. Envoy is susceptible to crashing on a host with IPv6 disabled and a listener config with proxy protocol enabled when it receives a request where the client presents its IPv6 address. It is valid for a client to present its IPv6 address to a target server even though the whole chain is connected via IPv4. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-envoyproxyenvoyproxyenvoyproxy
Product-envoyenvoyenvoy
CWE ID-CWE-755
Improper Handling of Exceptional Conditions
CWE ID-CWE-248
Uncaught Exception
CVE-2023-22941
Matching Score-4
Assigner-Splunk Inc.
ShareView Details
Matching Score-4
Assigner-Splunk Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.03% / 59.76%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 17:22
Updated-28 Feb, 2025 | 11:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).

Action-Not Available
Vendor-Splunk LLC (Cisco Systems, Inc.)
Product-splunksplunk_cloud_platformSplunk Cloud PlatformSplunk Enterprise
CWE ID-CWE-248
Uncaught Exception
CVE-2023-2251
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-1.09% / 61.70%
||
7 Day CHG~0.00%
Published-24 Apr, 2023 | 00:00
Updated-04 Feb, 2025 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncaught Exception in eemeli/yaml

Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5.

Action-Not Available
Vendor-yaml_projecteemeli
Product-yamleemeli/yaml
CWE ID-CWE-248
Uncaught Exception
CVE-2024-20137
Matching Score-4
Assigner-MediaTek, Inc.
ShareView Details
Matching Score-4
Assigner-MediaTek, Inc.
CVSS Score-7.5||HIGH
EPSS-1.22% / 65.38%
||
7 Day CHG~0.00%
Published-02 Dec, 2024 | 03:07
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In wlan driver, there is a possible client disconnection due to improper handling of exceptional conditions. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00384543; Issue ID: MSV-1727.

Action-Not Available
Vendor-MediaTek Inc.
Product-MT6890, MT7622, MT7915, MT7916, MT7981, MT7986mt7981mt6890mt7986mt7916mt7622mt7915
CWE ID-CWE-248
Uncaught Exception
CVE-2026-8161
Matching Score-4
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
ShareView Details
Matching Score-4
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
CVSS Score-7.5||HIGH
EPSS-0.47% / 37.87%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 08:50
Updated-12 May, 2026 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

Action-Not Available
Vendor-multiparty
Product-multiparty
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE ID-CWE-248
Uncaught Exception
CVE-2024-11738
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.71% / 49.30%
||
7 Day CHG~0.00%
Published-06 Dec, 2024 | 14:54
Updated-20 Nov, 2025 | 18:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rustls: rustls network-reachable panic in `acceptor::accept`

A flaw was found in Rustls 0.23.13 and related APIs. This vulnerability allows denial of service (panic) via a fragmented TLS ClientHello message.

Action-Not Available
Vendor-rustls_projectRed Hat, Inc.
Product-rustlsRed Hat Trusted Artifact Signer
CWE ID-CWE-248
Uncaught Exception
CVE-2020-15796
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-7.5||HIGH
EPSS-1.59% / 72.92%
||
7 Day CHG~0.00%
Published-14 Dec, 2020 | 21:05
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SIMATIC ET 200SP Open Controller (incl. SIPLUS variants) (V20.8), SIMATIC S7-1500 Software Controller (V20.8). The web server of the affected products contains a vulnerability that could allow a remote attacker to trigger a denial-of-service condition by sending a specially crafted HTTP request.

Action-Not Available
Vendor-Siemens AG
Product-simatic_et_200sp_open_controllersimatic_et_200sp_open_controller_firmwaresimatic_s7-1500_software_controller_firmwaresimatic_s7-1500_software_controllerSIMATIC ET 200SP Open Controller (incl. SIPLUS variants)SIMATIC S7-1500 Software Controller
CWE ID-CWE-248
Uncaught Exception
CVE-2026-59892
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.44% / 35.35%
||
7 Day CHG~0.00%
Published-08 Jul, 2026 | 16:03
Updated-08 Jul, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenTelemetry JavaScript: Denial of service in `JaegerPropagator` via unhandled exception on a malformed header

OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx-* HTTP header values with decodeURIComponent() without handling decode errors, allowing an unauthenticated remote attacker to send a malformed percent-encoded value that throws an uncaught URIError and terminates a Node.js process using JaegerPropagator as the active propagator. This issue is fixed in version 2.9.0.

Action-Not Available
Vendor-open-telemetry
Product-opentelemetry-js
CWE ID-CWE-248
Uncaught Exception
CVE-2026-58208
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.59% / 44.40%
||
7 Day CHG~0.00%
Published-08 Jul, 2026 | 20:17
Updated-09 Jul, 2026 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12.

Action-Not Available
Vendor-nats-ioThe Linux Foundation
Product-nats-servernats-server
CWE ID-CWE-248
Uncaught Exception
CVE-2021-33010
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-1.03% / 59.77%
||
7 Day CHG~0.00%
Published-04 Apr, 2022 | 19:45
Updated-16 Apr, 2025 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AVEVA System Platform Uncaught Exception

An exception is thrown from a function in AVEVA System Platform versions 2017 through 2020 R2 P01, but it is not caught, which may cause a denial-of-service condition.

Action-Not Available
Vendor-AVEVA
Product-system_platformAVEVA System Platform
CWE ID-CWE-248
Uncaught Exception
CVE-2023-39948
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.89% / 55.42%
||
7 Day CHG~0.00%
Published-11 Aug, 2023 | 13:51
Updated-13 Feb, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncaught fastcdr exception (Unexpected CDR type received) crashing fastdds

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.10.0 and 2.6.5, the `BadParamException` thrown by Fast CDR is not caught in Fast DDS. This can remotely crash any Fast DDS process. Versions 2.10.0 and 2.6.5 contain a patch for this issue.

Action-Not Available
Vendor-eprosimaeProsimaDebian GNU/Linux
Product-fast_ddsdebian_linuxFast-DDS
CWE ID-CWE-248
Uncaught Exception
CVE-2025-55553
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.38% / 30.32%
||
7 Day CHG~0.00%
Published-25 Sep, 2025 | 00:00
Updated-03 Oct, 2025 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).

Action-Not Available
Vendor-n/aThe Linux Foundation
Product-pytorchn/a
CWE ID-CWE-248
Uncaught Exception
CVE-2025-53365
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.35% / 27.54%
||
7 Day CHG~0.00%
Published-04 Jul, 2025 | 22:03
Updated-08 Jul, 2025 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MCP Python SDK has Unhandled Exception in Streamable HTTP Transport ,Leading to Denial of Service

The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.10.0, if a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.10.0 contains a patch for the issue.

Action-Not Available
Vendor-modelcontextprotocol
Product-python-sdk
CWE ID-CWE-248
Uncaught Exception
CVE-2023-5038
Matching Score-4
Assigner-Hanwha Vision Co., Ltd.
ShareView Details
Matching Score-4
Assigner-Hanwha Vision Co., Ltd.
CVSS Score-8.7||HIGH
EPSS-0.42% / 33.89%
||
7 Day CHG~0.00%
Published-25 Jun, 2024 | 02:14
Updated-02 Aug, 2024 | 07:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated DoS

badmonkey, a Security Researcher has found a flaw that allows for a unauthenticated DoS attack on the camera. An attacker runs a crafted URL, nobody can access the web management page of the camera. and must manually restart the device or re-power it. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

Action-Not Available
Vendor-hanwhavisionHanwha Vision Co., Ltd.hanwhavision
Product-xnv-9083rzxnp-8250rxnf-9010rvm_firmwarexnd-8082rf_firmwarelno-6012rxnp-6400rxnv-8082rlnd-6072r_firmwarexnv-8082r_firmwarexnp-6400rwqnv-6082rqnv-6082r1_firmwarexno-9083r_firmwarelno-6022rxnp-8250qnv-6024rmqnd-8080r_firmwareqnv-6084rlno-6022r_firmwareqnv-7022r_firmwarexnd-6083rvqno-7012rxnv-6083r_firmwareqnd-6072r1_firmwarexnp-6400rw_firmwarexnv-8093r_firmwarepnm-c9022rvqnv-6082r1qnd-8021_firmwareqnv-6032r1xnv-8083zxno-6083rano-l6022r_firmwareqnb-8002_firmwareqno-8020rxnp-9300rw_firmwareqnd-7032rxnp-c8303rw_firmwarexnv-c7083rqnd-6012r_firmwarexno-9082rxnp-9250_firmwarepnm-7002vdqnd-6073r_firmwarexno-6123r_firmwarexnv-6083rqno-6022r1xnf-9010rv_firmwareqnv-6022r_firmwareqnd-6082r1pnm-9000qbqnd-6083rxno-9083rqno-6032rqnd-7032r_firmwarexnd-8082rv_firmwareqnd-6082r_firmwarexnd-c6083rvxno-c9083rxnd-9082rvpnm-9031rvxnv-8083z_firmwareqnv-7082r_firmwarexnp-c9253_firmwarexno-9082r_firmwareqnv-8030rtnv-c7013rcpnm-9084rqz1_firmwarexno-8082rqnv-6032rqnd-8020r_firmwarexnd-9082rf_firmwarexno-8082r_firmwareqno-6073r_firmwareanv-l6082r_firmwareqnd-6012r1_firmwarelnv-6032rxnv-6083zlnv-6072r_firmwareano-l7022r_firmwarexnv-9083rqnv-6032r_firmwareqnv-6032r1_firmwarexnd-8093rv_firmwarexnv-c6083_firmwareqno-6022rane-l7012r_firmwarexnf-9010rvxnv-8083rz_firmwareqnd-8030rqno-6082rtnv-c7013rc_firmwarepnm-9085rqzqno-6084rano-l7012rqnv-8020r_firmwareqno-6072rqno-7032rqnv-8010rqno-7082rqno-6012r_firmwareqno-6012rxnb-9003xnp-c6403r_firmwarexnp-c6403rwxnp-9300rwxnv-c9083r_firmwarexnb-8002qne-8021r_firmwareqnd-7012rpnm-12082rvd_firmwarelnv-6032r_firmwareqno-6032r_firmwarexnd-9082rfqno-6082r_firmwareqnv-8080r_firmwareqno-6084r_firmwarexnd-8082rfpnm-9085rqz1_firmwarepnm-9084qz_firmwareqno-7032r_firmwarepnm-9084qz1ano-l6012rxnv-9082rlnd-6072rqnv-7012r_firmwareane-l6012r_firmwarexno-6123rxnd-8082rvpnm-9000qb_firmwarexnp-c9310r_firmwarelnv-6072rqnd-6012r1xnd-8093rvqnd-8030r_firmwareanv-l6012ranv-l7012rqnd-6011qnd-8020rqno-6073rqno-6072r1_firmwarepnm-9084qz1_firmwareqne-8021rxnb-6003_firmwarexno-6083r_firmwareqno-8020r_firmwareqnd-6073rqnv-7032r_firmwareqnd-8010r_firmwareanv-l6082rpnm-9085rqz_firmwareqno-8030rlnd-6012r_firmwarexnp-8300rw_firmwareanv-l7012r_firmwareqnv-6012r1xnp-c6403rw_firmwarexnp-c8253rxnb-9002_firmwarexnp-c8253r_firmwarexnf-9013rvxnv-8083r_firmwareqnd-6022rqnd-6011_firmwareano-l7012r_firmwarexnp-c9303rwqnd-6022r_firmwarexnd-9083rv_firmwarexnb-6003qnv-8080rqnd-6072r1qnv-6023rqnd-6082ranv-l6023r_firmwareqnd-6072rlno-6072rxnd-c9083rvqnd-6022r1pnm-9084rqz1qnv-6083r_firmwarexnv-6083rz_firmwareano-l6082r_firmwareqnv-6012r1_firmwareqno-6072r_firmwarelno-6032r_firmwareano-l6022rqnd-6032r1_firmwarexnv-9082r_firmwarexnf-9010rspnm-9031rv_firmwarepnm-9085rqz1qnd-6082r1_firmwareano-l7082rqnv-6082r_firmwareane-l6012rqnv-6012rqnd-6021_firmwarexnd-c6083rv_firmwarelnd-6012rlnv-6012rxnd-6083rv_firmwarexnp-c8253_firmwareqnd-7082r_firmwareqno-6082r1_firmwareqno-8080r_firmwarexnv-6083rzqnd-7022rqnv-6084r_firmwareqno-6083rqno-8010rpnm-c9022rv_firmwarepnm-9084rqz_firmwareqnv-6014rxnp-c9253anv-l6012r_firmwarexnd-8083rv_firmwareqnv-6022r1_firmwareqno-7082r_firmwarexnv-6123r_firmwareqno-6014r_firmwarexnb-6002_firmwareqnv-6073r_firmwarexnp-8250_firmwareqnv-6073rpnm-7082rvd_firmwareqno-6032r1qno-8030r_firmwareqnd-6032r1lnd-6022r_firmwarexnp-6400_firmwareqnd-6021xnp-c6403rqnv-7082rqnv-6072r1_firmwareanv-l7082r_firmwarelno-6032rxno-c8083r_firmwarexnp-6400r_firmwarepnm-9322vqpxno-c6083r_firmwarexno-c7083r_firmwareano-l6082rqnv-6014r_firmwareano-l6012r_firmwarepnm-12082rvdxnp-9250xnb-8003_firmwarexnp-c6403_firmwareanv-l6023rxnb-6002xnp-c6403ano-l7022rpnm-7082rvdxnf-9010rvmxnv-9083rz_firmwarexnb-8002_firmwareqnv-6023r_firmwareqnd-8021xnd-c9083rv_firmwarexnv-c6083r_firmwarexnv-8083rqno-6022r1_firmwarexno-c8083rqnd-6083r_firmwarelnv-6022r_firmwareqnv-6024rm_firmwareqnd-7022r_firmwarexnp-9250rqno-7022rxnd-c7083rvxnd-c8083rv_firmwarepnm-8082vtxnp-c9310rpnm-9002vqqnv-6072r1xnp-c9253rxnd-9083rvxnv-c6083rqno-6072r1ano-l7082r_firmwarexnf-9013rv_firmwareqnv-8010r_firmwarexnb-9003_firmwarexnv-c9083rpnm-9022v_firmwareqnv-7012rxnp-9250r_firmwareqnd-6072r_firmwareqno-7022r_firmwarexnv-c8083rxnp-6400qno-7012r_firmwareqnd-6032rpnm-8082vt_firmwarexnv-6123rxnb-9002xnp-c9303rw_firmwarexnf-9010rs_firmwarelno-6012r_firmwarexnb-8003qnb-8002qnd-8080rxnp-c8253qnv-6022r1lnd-6032r_firmwareqnd-8010rxnd-9082rv_firmwarepnm-9322vqp_firmwarelnv-6022rxno-c9083r_firmwareqno-8080rqnd-6032r_firmwareqno-6014rxnv-c8083r_firmwarepnm-9084rqzqnv-6072r_firmwareqno-6083r_firmwareqnd-7012r_firmwarexno-8083r_firmwareqnd-7082rqnv-8020rqno-8010r_firmwareqnv-7022rxnv-6083z_firmwareqnd-8011_firmwarexnp-8300rwxnd-c7083rv_firmwareanv-l7082rqnd-8011xnd-8083rvxnp-c9253r_firmwareqno-6022r_firmwareqne-8011rxnv-c7083r_firmwareane-l7012rxno-c7083rxnv-9083r_firmwareqno-6032r1_firmwarexnp-8250r_firmwareqno-6012r1lno-6072r_firmwareqne-8011r_firmwarexno-8083rqnd-6022r1_firmwarepnm-7002vd_firmwarelnv-6012r_firmwareqnv-6022rqno-6012r1_firmwareqnd-6012rqnv-6012r_firmwarexno-c6083rqnv-6072rqnv-7032rqnv-6083rqno-6082r1pnm-9002vq_firmwarexnv-8093rxnv-8083rzpnm-9084qzxnd-c8083rvlnd-6022rqnv-8030r_firmwarexnp-c8303rwlnd-6032rxnv-c6083pnm-9022vA-Series, Q-Series, PNM-series Camerapnm-9322vqppnm-9085rqzlnd-6012rlnv-6012rano-l6082rpnm-12082rvdane-l7012rpnm-9000qblno-6012rano-l7012rqnd-6032rano-l7022rpnm-7082rvdqnd-6022rpnm-9031rvlno-6022rlnv-6022rqnd-6012ranv-l6082rpnm-9084qz1ano-l6012rpnm-8082vtlno-6072rlno-6032rlnv-6032rlnd-6072rpnm-c9022rvpnm-9084rqzpnm-9084qzpnm-9084rqz1lnv-6072rpnm-9002vqanv-l6012ranv-l7012rqnd-6011lnd-6022rano-l6022rlnd-6032rpnm-9085rqz1qnd-6021anv-l7082rano-l7082rpnm-9022vpnm-7002vdane-l6012r
CWE ID-CWE-248
Uncaught Exception
CWE ID-CWE-703
Improper Check or Handling of Exceptional Conditions
CVE-2025-3083
Matching Score-4
Assigner-MongoDB, Inc.
ShareView Details
Matching Score-4
Assigner-MongoDB, Inc.
CVSS Score-7.5||HIGH
EPSS-0.41% / 33.59%
||
7 Day CHG~0.00%
Published-01 Apr, 2025 | 11:12
Updated-01 Apr, 2025 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Malformed MongoDB wire protocol messages may cause mongos to crash

Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31,  MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0 versions prior to 7.0.16

Action-Not Available
Vendor-MongoDB, Inc.
Product-MongoDB Server
CWE ID-CWE-248
Uncaught Exception
CVE-2023-4785
Matching Score-4
Assigner-Google LLC
ShareView Details
Matching Score-4
Assigner-Google LLC
CVSS Score-7.5||HIGH
EPSS-0.67% / 47.69%
||
7 Day CHG~0.00%
Published-13 Sep, 2023 | 16:31
Updated-12 Jan, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in gRPC Core

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.

Action-Not Available
Vendor-grpcgrpcGoogle LLC
Product-grpcgRPCgrpc
CWE ID-CWE-248
Uncaught Exception
CVE-2023-46239
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.77% / 51.32%
||
7 Day CHG~0.00%
Published-31 Oct, 2023 | 15:02
Updated-05 Sep, 2024 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
quic-go vulnerable to pointer dereference that can lead to panic

quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.

Action-Not Available
Vendor-quic-go_projectquic-go
Product-quic-goquic-go
CWE ID-CWE-248
Uncaught Exception
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2025-29785
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.40% / 32.44%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 10:44
Updated-02 Jun, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
quic-go Has Panic in Path Probe Loss Recovery Handling

quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packets from different remote addresses (thereby triggering the newly added path validation logic: the server sends path probe packets), and then sending ACKs for packets received from the server specifically crafted to trigger the nil-pointer dereference. v0.50.1 contains a patch that fixes the vulnerability. This release contains a test that generates random sequences of sent packets (both regular and path probe packets), that was used to verify that the patch actually covers all corner cases. No known workarounds are available.

Action-Not Available
Vendor-quic-go
Product-quic-go
CWE ID-CWE-248
Uncaught Exception
CVE-2025-35436
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-6.9||MEDIUM
EPSS-0.54% / 41.79%
||
7 Day CHG~0.00%
Published-17 Sep, 2025 | 16:53
Updated-19 Dec, 2025 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CISA Thorium account verification email error handling

CISA Thorium uses '.unwrap()' to handle errors related to account verification email messages. An unauthenticated remote attacker could cause a crash by providing a specially crafted email address or response. Fixed in commit 6a65a27.

Action-Not Available
Vendor-cisaCISA
Product-thoriumThorium
CWE ID-CWE-248
Uncaught Exception
CVE-2023-46135
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.76% / 51.21%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 00:38
Updated-10 Sep, 2024 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Panic in SignedPayload::from_payload

rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys. A panic vulnerability occurs when a specially crafted payload is used.`inner_payload_len` should not above 64. This vulnerability has been patched in version 0.0.8.

Action-Not Available
Vendor-stellarstellarstellar
Product-rs-stellar-strkeyrs-stellar-strkeyrs-stellar-strkey
CWE ID-CWE-248
Uncaught Exception
CVE-2026-50328
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-7.5||HIGH
EPSS-1.21% / 64.85%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 17:06
Updated-17 Jul, 2026 | 21:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Server Update Service (WSUS) Tampering Vulnerability

Uncaught exception in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-Windows Server 2012Windows 10 Version 1607Windows Server 2012 R2Windows Server 2019 (Server Core installation)Windows Server 2012 R2 (Server Core installation)Windows Server 2019Windows 10 Version 1809Windows Server 2016 (Server Core installation)Windows Server 2022Windows Server 2025 (Server Core installation)Windows Server 2016Windows Server 2012 (Server Core installation)Windows Server 2025
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-248
Uncaught Exception
CVE-2025-24883
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.68% / 48.32%
||
7 Day CHG~0.00%
Published-30 Jan, 2025 | 15:58
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
go-ethereum has a DoS via malicious p2p message

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.14.13.

Action-Not Available
Vendor-ethereum
Product-go-ethereum
CWE ID-CWE-248
Uncaught Exception
CVE-2026-48069
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.62% / 45.93%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 19:42
Updated-15 Jul, 2026 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
@grpc/grps-js: An incoming malformed compressed message can cause a client or server crash

@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming compressed message can cause a client or server process that uses @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.

Action-Not Available
Vendor-grpc
Product-grpc-node
CWE ID-CWE-248
Uncaught Exception
CVE-2026-48068
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.62% / 45.93%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 19:39
Updated-15 Jul, 2026 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
@grpc/grps-js: A malformed request can cause a server crash

@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming HTTP/2 stream initiation can cause a server process created using @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.

Action-Not Available
Vendor-grpc
Product-grpc-node
CWE ID-CWE-248
Uncaught Exception
CVE-2023-42444
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.69% / 48.80%
||
7 Day CHG~0.00%
Published-19 Sep, 2023 | 14:47
Updated-24 Sep, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
phonenumber panics on parsing crafted RF3966 inputs

phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds.

Action-Not Available
Vendor-whisperfishwhisperfish
Product-phonenumberrust-phonenumber
CWE ID-CWE-392
Missing Report of Error Condition
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CWE ID-CWE-248
Uncaught Exception
CVE-2026-46545
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.34% / 26.08%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 23:47
Updated-10 Jun, 2026 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.5.0, a remote, unauthenticated denial-of-service vulnerability in MerkleRadixTrie::put_chunk allows any state-sync peer to crash any node performing state synchronization (freshly joining nodes and recovering nodes). This issue has been patched in version 1.5.0.

Action-Not Available
Vendor-nimiq
Product-core-rs-albatross
CWE ID-CWE-248
Uncaught Exception
CVE-2026-47480
Matching Score-4
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-4
Assigner-NVIDIA Corporation
CVSS Score-7.5||HIGH
EPSS-0.28% / 19.83%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 19:47
Updated-15 Jul, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause an uncaught exception. A successful exploit of this vulnerability might lead to denial of service.

Action-Not Available
Vendor-NVIDIA Corporation
Product-Triton Inference Server
CWE ID-CWE-248
Uncaught Exception
CVE-2026-46689
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.32% / 23.72%
||
7 Day CHG~0.00%
Published-10 Jun, 2026 | 20:28
Updated-11 Jun, 2026 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kanidm: Unauthenticated process abort via SCIM filter stack exhaustion

Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() — the entire kanidmd process exits. The parse runs inside axum's Query<ScimEntryGetQuery> extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3.

Action-Not Available
Vendor-kanidm
Product-kanidm
CWE ID-CWE-248
Uncaught Exception
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-674
Uncontrolled Recursion
CVE-2026-45685
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.46% / 37.21%
||
7 Day CHG~0.00%
Published-02 Jun, 2026 | 15:25
Updated-03 Jun, 2026 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.1.0 to before version 0.9.0, malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated, so a single crafted message can terminate telemetry collection for the affected process or node. This issue has been patched in version 0.9.0.

Action-Not Available
Vendor-opentelemetryopen-telemetry
Product-ebpf_instrumentationopentelemetry-ebpf-instrumentation
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-248
Uncaught Exception
CWE ID-CWE-704
Incorrect Type Conversion or Cast
CVE-2026-9509
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-8.7||HIGH
EPSS-0.35% / 27.39%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 12:11
Updated-29 May, 2026 | 13:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncaught exception vulnerability in Suprema's BioStar

An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that halts critical processes, leaving the system offline until the services or server are manually restarted. As a result, access control readers cease to function, and potential failures may occur in third-party integrations. Since the exploit requires no privileges or user interaction and is trivial to automate, the impact on availability is high, and the effect extends to interconnected systems.

Action-Not Available
Vendor-Suprema
Product-BioStar 2 (server)
CWE ID-CWE-248
Uncaught Exception
CVE-2023-3966
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.03% / 59.96%
||
7 Day CHG~0.00%
Published-22 Feb, 2024 | 12:15
Updated-16 May, 2025 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Openvswsitch: ovs-vswitch fails to recover after malformed geneve metadata packet

A flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled.

Action-Not Available
Vendor-openvswitchn/aRDOFedora ProjectRed Hat, Inc.
Product-openvswitchfedoraFast Datapath for RHEL 9Red Hat OpenShift Container Platform 3.11openvswitchOpenStack RDOFast Datapath for RHEL 7Red Hat Enterprise Linux 7FedoraFast Datapath for RHEL 8
CWE ID-CWE-248
Uncaught Exception
CVE-2023-39945
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.81% / 52.74%
||
7 Day CHG~0.00%
Published-11 Aug, 2023 | 13:21
Updated-13 Feb, 2025 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Malformed serialized data in a data submessage leads to unhandled exception

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5, a data submessage sent to PDP port raises unhandled `BadParamException` in fastcdr, which in turn crashes fastdds. Versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5 contain a patch for this issue.

Action-Not Available
Vendor-eprosimaeProsimaDebian GNU/Linux
Product-fast_ddsdebian_linuxFast-DDS
CWE ID-CWE-248
Uncaught Exception
CVE-2026-42268
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.40% / 31.86%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 21:40
Updated-14 May, 2026 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ModSecurity: Unsigned integer underflow in @verifySSN / @verifyCPF / @verifySVNR operators

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @verifySSN, @verifyCPF, or @verifySVNR. This vulnerability is fixed in 3.0.15.

Action-Not Available
Vendor-owaspowasp-modsecurity
Product-modsecurityModSecurity
CWE ID-CWE-191
Integer Underflow (Wrap or Wraparound)
CWE ID-CWE-248
Uncaught Exception
CVE-2020-5129
Matching Score-4
Assigner-SonicWall, Inc.
ShareView Details
Matching Score-4
Assigner-SonicWall, Inc.
CVSS Score-7.5||HIGH
EPSS-1.30% / 67.22%
||
7 Day CHG~0.00%
Published-26 Mar, 2020 | 03:35
Updated-04 Aug, 2024 | 08:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the SonicWall SMA1000 HTTP Extraweb server allows an unauthenticated remote attacker to cause HTTP server crash which leads to Denial of Service. This vulnerability affected SMA1000 Version 12.1.0-06411 and earlier.

Action-Not Available
Vendor-SonicWall Inc.
Product-sma1000sma1000_firmwareSMA1000
CWE ID-CWE-248
Uncaught Exception
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2026-42544
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.32% / 24.52%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 21:46
Updated-18 May, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Granian: Unauthenticated DoS via WebSocket subprotocol header panic

Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked. This vulnerability is fixed in 2.7.4.

Action-Not Available
Vendor-emmett-framework
Product-granian
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-248
Uncaught Exception
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-38504
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.76% / 51.15%
||
7 Day CHG~0.00%
Published-27 Jul, 2023 | 18:12
Updated-03 Oct, 2024 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sails DoS vulnerability for apps with sockets enabled

Sails is a realtime MVC Framework for Node.js. In Sails apps prior to version 1.5.7,, an attacker can send a virtual request that will cause the node process to crash. This behavior was fixed in Sails v1.5.7. As a workaround, disable the sockets hook and remove the `sails.io.js` client.

Action-Not Available
Vendor-sailsjsbalderdashysailsjs
Product-sailssailssails
CWE ID-CWE-248
Uncaught Exception
CVE-2025-20637
Matching Score-4
Assigner-MediaTek, Inc.
ShareView Details
Matching Score-4
Assigner-MediaTek, Inc.
CVSS Score-7.5||HIGH
EPSS-0.63% / 46.18%
||
7 Day CHG~0.00%
Published-03 Feb, 2025 | 03:23
Updated-17 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In network HW, there is a possible system hang due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00399035; Issue ID: MSV-2380.

Action-Not Available
Vendor-MediaTek Inc.
Product-software_development_kitmt7986mt7981MT7981, MT7986
CWE ID-CWE-248
Uncaught Exception
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2025-12423
Matching Score-4
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-4
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-10||CRITICAL
EPSS-0.30% / 22.49%
||
7 Day CHG~0.00%
Published-28 Oct, 2025 | 18:14
Updated-07 Nov, 2025 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service - Protocol Manipulation

Protocol manipulation might lead to denial of service.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-248
Uncaught Exception
CVE-2026-50129
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.26% / 17.80%
||
7 Day CHG~0.00%
Published-24 Jun, 2026 | 19:50
Updated-25 Jun, 2026 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mastodon: Persistent anonymous DoS via unhandled NoMethodError in MATH_TRANSFORMER

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception handling in the math sanitizer. Malformed <math> nodes can result in a DoS of a whole server or targeted users services, depending on the type of action that includes the malformed nodes and the services interacting with it. This vulnerability is fixed in 4.5.11, 4.4.18, and 4.3.24.

Action-Not Available
Vendor-mastodon
Product-mastodon
CWE ID-CWE-248
Uncaught Exception
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found