Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-53893

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-15 Jul, 2025 | 17:47
Updated At-15 Jul, 2025 | 18:44
Rejected At-
Credits

File Browser Vulnerable to Uncontrolled Memory Consumption Due to Oversized File Processing

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.38.0, a Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint `Filebrowser-Server-IP:PORT/files/{file-name}` . While the server correctly handles and stores uploaded files, it attempts to load the entire content into memory during read operations without size checks or resource limits. This allows an authenticated user to upload a large file and trigger uncontrolled memory consumption on read, potentially crashing the server and making it unresponsive. As of time of publication, no known patches are available.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:15 Jul, 2025 | 17:47
Updated At:15 Jul, 2025 | 18:44
Rejected At:
▼CVE Numbering Authority (CNA)
File Browser Vulnerable to Uncontrolled Memory Consumption Due to Oversized File Processing

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.38.0, a Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint `Filebrowser-Server-IP:PORT/files/{file-name}` . While the server correctly handles and stores uploaded files, it attempts to load the entire content into memory during read operations without size checks or resource limits. This allows an authenticated user to upload a large file and trigger uncontrolled memory consumption on read, potentially crashing the server and making it unresponsive. As of time of publication, no known patches are available.

Affected Products
Vendor
filebrowser
Product
filebrowser
Versions
Affected
  • = 2.38.0
Problem Types
TypeCWE IDDescription
CWECWE-400CWE-400: Uncontrolled Resource Consumption
CWECWE-789CWE-789: Memory Allocation with Excessive Size Value
Type: CWE
CWE ID: CWE-400
Description: CWE-400: Uncontrolled Resource Consumption
Type: CWE
CWE ID: CWE-789
Description: CWE-789: Memory Allocation with Excessive Size Value
Metrics
VersionBase scoreBase severityVector
4.07.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
Version: 4.0
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xqm-7738-642x
x_refsource_CONFIRM
https://github.com/filebrowser/filebrowser/issues/5294
x_refsource_MISC
Hyperlink: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xqm-7738-642x
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/filebrowser/filebrowser/issues/5294
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:15 Jul, 2025 | 18:15
Updated At:05 Aug, 2025 | 18:27

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.38.0, a Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint `Filebrowser-Server-IP:PORT/files/{file-name}` . While the server correctly handles and stores uploaded files, it attempts to load the entire content into memory during read operations without size checks or resource limits. This allows an authenticated user to upload a large file and trigger uncontrolled memory consumption on read, potentially crashing the server and making it unresponsive. As of time of publication, no known patches are available.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 4.0
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CPE Matches

filebrowser
filebrowser
>>filebrowser>>2.38.0
cpe:2.3:a:filebrowser:filebrowser:2.38.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-400Primarysecurity-advisories@github.com
CWE-789Primarysecurity-advisories@github.com
CWE ID: CWE-400
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-789
Type: Primary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/filebrowser/filebrowser/issues/5294security-advisories@github.com
Issue Tracking
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xqm-7738-642xsecurity-advisories@github.com
Exploit
Vendor Advisory
Hyperlink: https://github.com/filebrowser/filebrowser/issues/5294
Source: security-advisories@github.com
Resource:
Issue Tracking
Hyperlink: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xqm-7738-642x
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

308Records found

CVE-2019-12700
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.7||HIGH
EPSS-1.88% / 77.11%
||
7 Day CHG~0.00%
Published-02 Oct, 2019 | 19:06
Updated-26 Nov, 2024 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco FTD, FMC, and FXOS Software Pluggable Authentication Module Denial of Service Vulnerability

A vulnerability in the configuration of the Pluggable Authentication Module (PAM) used in Cisco Firepower Threat Defense (FTD) Software, Cisco Firepower Management Center (FMC) Software, and Cisco FXOS Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper resource management in the context of user session management. An attacker could exploit this vulnerability by connecting to an affected system and performing many simultaneous successful Secure Shell (SSH) logins. A successful exploit could allow the attacker to exhaust system resources and cause the device to reload, resulting in a DoS condition. To exploit this vulnerability, the attacker needs valid user credentials on the system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-firepower_9300secure_firewall_management_centerfirepower_2100firepower_threat_defensefirepower_9300_firmwarefirepower_extensible_operating_systemfirepower_1000Cisco Firepower Management Center
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-3112
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-7.1||HIGH
EPSS-0.53% / 41.03%
||
7 Day CHG~0.00%
Published-10 Jun, 2025 | 08:28
Updated-12 Jun, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause Denial of Service when an authenticated malicious user sends manipulated HTTPS Content-Length header to the webserver.

Action-Not Available
Vendor-Schneider Electric SE
Product-Modicon Controllers M241/M251
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-30753
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 29.30%
||
7 Day CHG~0.00%
Published-15 Jul, 2025 | 19:27
Updated-16 Jul, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-Oracle WebLogic Server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-29898
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-6||MEDIUM
EPSS-0.42% / 34.00%
||
7 Day CHG~0.00%
Published-29 Aug, 2025 | 17:15
Updated-19 Sep, 2025 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-2820
Matching Score-4
Assigner-Bizerba SE & Co. KG
ShareView Details
Matching Score-4
Assigner-Bizerba SE & Co. KG
CVSS Score-6.5||MEDIUM
EPSS-0.49% / 38.81%
||
7 Day CHG~0.00%
Published-26 Mar, 2025 | 14:58
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service

An authenticated attacker can compromise the availability of the device via the network

Action-Not Available
Vendor-Bizerba SE & Co. KG
Product-Product family GLx and CWx
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2021-29453
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.7||MEDIUM
EPSS-1.00% / 58.97%
||
7 Day CHG~0.00%
Published-19 Apr, 2021 | 18:55
Updated-03 Aug, 2024 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service through memory exhaustion

matrix-media-repo is an open-source multi-domain media repository for Matrix. Versions 1.2.6 and earlier of matrix-media-repo do not properly handle malicious images which are crafted to be small in file size, but large in complexity. A malicious user could upload a relatively small image in terms of file size, using particular image formats, which expands to have extremely large dimensions during the process of thumbnailing. The server can be exhausted of memory in the process of trying to load the whole image into memory for thumbnailing, leading to denial of service. Version 1.2.7 has a fix for the vulnerability.

Action-Not Available
Vendor-matrix-media-repo_projectturt2live
Product-matrix-media-repomatrix-media-repo
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-46278
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.5||MEDIUM
EPSS-0.62% / 45.53%
||
7 Day CHG~0.00%
Published-31 Oct, 2023 | 23:01
Updated-05 Sep, 2024 | 19:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Uncontrolled resource consumption vulnerability in Cybozu Remote Service 4.1.0 to 4.1.1 allows a remote authenticated attacker to consume huge storage space or cause significantly delayed communication.

Action-Not Available
Vendor-Cybozu, Inc.
Product-cybozu_remote_serviceCybozu Remote Service
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-27100
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.41% / 33.42%
||
7 Day CHG~0.00%
Published-21 Feb, 2025 | 00:03
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
An authenticated user can crash lakeFS by exhausting server memory

lakeFS is an open-source tool that transforms your object storage into a Git-like repository. In affected versions an authenticated user can crash lakeFS by exhausting server memory. This is an authenticated denial-of-service issue. This problem has been patched in version 1.50.0. Users on versions 1.49.1 and below are affected. Users are advised to upgrade. Users unable to upgrade should either set the environment variable `LAKEFS_BLOCKSTORE_S3_DISABLE_PRE_SIGNED_MULTIPART` to `true` or configure the `disable_pre_signed_multipart` key to true in their config yaml.

Action-Not Available
Vendor-treeverse
Product-lakeFS
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-57914
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.29% / 21.30%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 11:28
Updated-26 Jun, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Kerby: StackOverflow on parsing deeply nested ASN1 structures

By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it's possible to trigger a StackOverFlow Exception which can lead to denial of service issues. Users are recommended to upgrade to version 2.1.2, which fixes this issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-Apache Kerby
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-5755
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 15.64%
||
7 Day CHG~0.00%
Published-22 May, 2026 | 10:18
Updated-22 May, 2026 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service via crafted TIFF file upload

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a denial of service (server OOM) via uploading a crafted TIFF file or posting a URL that serves one.. Mattermost Advisory ID: MMSA-2026-00648

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-2668
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.35% / 26.94%
||
7 Day CHG~0.00%
Published-30 Jan, 2026 | 21:28
Updated-05 Feb, 2026 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Db2 Denial of Service

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query.

Action-Not Available
Vendor-IBM Corporation
Product-db2Db2 for Linux, UNIX and Windows
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CVE-2026-55440
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.66% / 47.50%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 15:35
Updated-16 Jul, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft UFO: COMMAND_RESULTS handler creates unowned sessions, allowing authenticated session-squatting denial of service

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Prior to 3.0.7, the COMMAND_RESULTS handler in ufo/server/ws/handler.py called get_or_create_session in ufo/server/services/session_manager.py without owner_client_id, allowing an authenticated client to create an unowned attacker-chosen session_id such as constellation_task_id = f"{task_name}@{task_id}" and deny the legitimate owner or exhaust memory with phantom sessions. This issue is fixed in version 3.0.7.

Action-Not Available
Vendor-Microsoft Corporation
Product-UFO
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-862
Missing Authorization
CVE-2026-55646
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.29% / 20.86%
||
7 Day CHG~0.00%
Published-06 Jul, 2026 | 19:41
Updated-07 Jul, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vLLM speech-to-text endpoints allocate full upload before enforcing the audio file-size limit

vLLM is an inference and serving engine for large language models. From 0.22.0 to 0.23.0, the /v1/audio/transcriptions and /v1/audio/translations routes call request.file.read() to fully materialize an uploaded audio file into memory before vLLM checks the documented VLLM_MAX_AUDIO_CLIP_FILESIZE_MB compressed upload size limit (default 25 MB) later in the speech-to-text preprocessing step, so an API caller who can reach those routes can submit an oversized multipart upload and cause vLLM to allocate memory proportional to the uploaded file size before the request is rejected as too large, creating memory pressure or terminating the process depending on deployment resource limits. This issue is fixed in version 0.24.0.

Action-Not Available
Vendor-vllmvllm-project
Product-vllmvllm
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-49090
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 16.39%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 17:15
Updated-02 Jul, 2026 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in Elasticsearch Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests.

Action-Not Available
Vendor-Elasticsearch BV
Product-elasticsearchElasticsearch
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-43564
Matching Score-4
Assigner-Splunk Inc.
ShareView Details
Matching Score-4
Assigner-Splunk Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.79% / 52.30%
||
7 Day CHG~0.00%
Published-04 Nov, 2022 | 22:20
Updated-01 May, 2025 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in Splunk Enterprise through search macros

In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, a remote user who can create search macros and schedule search reports can cause a denial of service through the use of specially crafted search macros.

Action-Not Available
Vendor-Splunk LLC (Cisco Systems, Inc.)
Product-splunksplunk_cloud_platformSplunk Enterprise
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-49094
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 18.75%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 19:49
Updated-01 Jun, 2026 | 13:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU and memory resources while processing the request. This results in Kibana becoming unavailable to all users until the service is manually recovered.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-41705
Matching Score-4
Assigner-Open-Xchange
ShareView Details
Matching Score-4
Assigner-Open-Xchange
CVSS Score-6.5||MEDIUM
EPSS-0.78% / 52.00%
||
7 Day CHG~0.00%
Published-12 Feb, 2024 | 08:15
Updated-04 Nov, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of DAV user-agents now gets monitored, and the related request is terminated if a resource threshold is reached. No publicly available exploits are known.

Action-Not Available
Vendor-Open-Xchange AG
Product-open-xchange_appsuiteOX App Suite
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-49799
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.79% / 52.18%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 17:06
Updated-17 Jul, 2026 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability

Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_24h2windows_server_2012windows_10_22h2windows_server_2016windows_server_2022windows_10_21h2windows_10_1607windows_server_2019windows_server_2025windows_11_25h2windows_11_26h1windows_10_1809Windows 10 Version 1607Windows Server 2012 R2Windows Server 2025Windows Server 2019 (Server Core installation)Windows Server 2012 (Server Core installation)Windows 10 Version 21H2Windows Server 2012Windows 11 Version 25H2Windows Server 2012 R2 (Server Core installation)Windows Server 2019Windows 10 Version 1809Windows 10 Version 22H2Windows Server 2016 (Server Core installation)Windows Server 2022Windows Server 2016Windows 11 version 26H1Windows Server 2025 (Server Core installation)Windows 11 Version 24H2
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-44796
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.31% / 23.23%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 17:00
Updated-30 May, 2026 | 02:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS)

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the find field in combination with the use_regex flag. This vulnerability is fixed in 2.4.33 and 3.1.2.

Action-Not Available
Vendor-networktocodenautobot
Product-nautobotnautobot
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-33375
Matching Score-4
Assigner-Grafana Labs
ShareView Details
Matching Score-4
Assigner-Grafana Labs
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 35.17%
||
7 Day CHG~0.00%
Published-26 Mar, 2026 | 20:05
Updated-16 Jul, 2026 | 03:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.

Action-Not Available
Vendor-Grafana Labs
Product-grafanaGrafana OSS
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-36818
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.70% / 48.99%
||
7 Day CHG+0.11%
Published-14 Jul, 2023 | 21:16
Updated-18 Oct, 2024 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service via User Custom Sidebar Section Unlimited Link Creation in discourse

Discourse is an open source discussion platform. In affected versions a request to create or update custom sidebar section can cause a denial of service. This issue has been patched in commit `52b003d915`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-52980
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.50% / 39.63%
||
7 Day CHG~0.00%
Published-08 Apr, 2025 | 16:43
Updated-30 Sep, 2025 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elasticsearch Uncontrolled Resource Consumption vulnerability

A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash. A successful attack requires a malicious user to have read_pipeline Elasticsearch cluster privilege assigned to them.

Action-Not Available
Vendor-Elasticsearch BV
Product-elasticsearchElasticsearch
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-3637
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.97% / 57.94%
||
7 Day CHG~0.00%
Published-25 Jul, 2023 | 12:47
Updated-20 Nov, 2025 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Openstack-neutron: unrestricted creation of security groups (fix for cve-2022-3277)

An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.

Action-Not Available
Vendor-Red Hat, Inc.
Product-openstack_platformRed Hat OpenStack Platform 17.0Red Hat OpenStack Platform 16.1Red Hat OpenStack Platform 18.0Red Hat OpenStack Platform 13 (Queens) Operational ToolsRed Hat OpenStack Platform 17.1Red Hat OpenStack Platform 16.2
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-21574
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-6.5||MEDIUM
EPSS-0.97% / 58.14%
||
7 Day CHG+0.07%
Published-15 Apr, 2025 | 20:30
Updated-03 Nov, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-mysql_servermysql_clusterMySQL ClusterMySQL Server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-21577
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-6.5||MEDIUM
EPSS-0.72% / 49.64%
||
7 Day CHG+0.05%
Published-15 Apr, 2025 | 20:30
Updated-03 Nov, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-mysql_serverMySQL Server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-21575
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-6.5||MEDIUM
EPSS-0.85% / 54.00%
||
7 Day CHG+0.06%
Published-15 Apr, 2025 | 20:30
Updated-03 Nov, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-mysql_servermysql_clusterMySQL ClusterMySQL Server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-42399
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.30% / 21.55%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 19:44
Updated-01 Jun, 2026 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-34462
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-2.46% / 82.63%
||
7 Day CHG~0.00%
Published-22 Jun, 2023 | 23:00
Updated-13 Feb, 2025 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
netty-handler SniHandler 16MB allocation

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.

Action-Not Available
Vendor-The Netty Project
Product-nettynetty
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-16848
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.18% / 64.05%
||
7 Day CHG~0.00%
Published-15 Jun, 2020 | 14:18
Updated-05 Aug, 2024 | 10:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Denial of Service (DoS) condition is possible in OpenStack Mistral in versions up to and including 7.0.3. Submitting a specially crafted workflow definition YAML file containing nested anchors can lead to resource exhaustion culminating in a denial of service.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-openstack-mistralopenstack-mistral
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2018-14659
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-2.17% / 80.27%
||
7 Day CHG~0.00%
Published-31 Oct, 2018 | 19:00
Updated-05 Aug, 2024 | 09:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Gluster file system through versions 4.1.4 and 3.1.2 is vulnerable to a denial of service attack via use of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote, authenticated attacker could exploit this by mounting a Gluster volume and repeatedly calling 'setxattr(2)' to trigger a state dump and create an arbitrary number of files in the server's runtime directory.

Action-Not Available
Vendor-The Gluster ProjectDebian GNU/LinuxRed Hat, Inc.
Product-enterprise_linux_servervirtualizationdebian_linuxenterprise_linuxvirtualization_hostgluster_file_systemglusterfs
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-41861
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.10% / 62.05%
||
7 Day CHG~0.00%
Published-17 Jan, 2023 | 00:00
Updated-03 Nov, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in freeradius. A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash.

Action-Not Available
Vendor-n/aFreeRADIUS
Product-freeradiusfreeradius
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-41770
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.60% / 44.52%
||
7 Day CHG~0.00%
Published-19 Oct, 2022 | 21:21
Updated-08 May, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BIG-IP and BIG-IQ iControl REST vulnerability CVE-2022-41770

In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ all versions of 8.x and 7.x, an authenticated iControl REST user can cause an increase in memory resource utilization, via undisclosed requests.

Action-Not Available
Vendor-F5, Inc.
Product-big-ip_application_acceleration_managerbig-ip_link_controllerbig-ip_policy_enforcement_managerbig-ip_fraud_protection_servicebig-iq_centralized_managementbig-ip_global_traffic_managerbig-ip_analyticsbig-ip_access_policy_managerbig-ip_domain_name_systembig-ip_local_traffic_managerbig-ip_advanced_firewall_managerbig-ip_application_security_managerBIG-IPBIG-IQ
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2018-12541
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-6.5||MEDIUM
EPSS-2.65% / 83.95%
||
7 Day CHG~0.00%
Published-10 Oct, 2018 | 20:00
Updated-05 Aug, 2024 | 08:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-vert.xEclipse Vert.x
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2023-29139
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.58% / 43.95%
||
7 Day CHG~0.00%
Published-31 Mar, 2023 | 00:00
Updated-14 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. When a user with checkuserlog permissions makes many CheckUserLog API requests in some configurations, denial of service can occur (RequestTimeoutException or upstream request timeout).

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-28188
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.59% / 44.43%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 01:36
Updated-13 Feb, 2025 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial-of-service issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13.3. A remote user may be able to cause a denial-of-service.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-12983
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-3.5||LOW
EPSS-0.41% / 33.19%
||
7 Day CHG+0.04%
Published-15 Nov, 2025 | 08:13
Updated-19 Nov, 2025 | 19:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory Allocation with Excessive Size Value in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CVE-2023-25816
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-1.37% / 68.92%
||
7 Day CHG~0.00%
Published-24 Feb, 2023 | 23:17
Updated-10 Mar, 2025 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nextcloud vulnerable to Uncontrolled Resource Consumption

Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are subject to Uncontrolled Resource Consumption. A user can configure a very long password, consuming more resources on password validation than desired. This issue is patched in 25.0.3 No workaround is available.

Action-Not Available
Vendor-Nextcloud GmbH
Product-nextcloud_serversecurity-advisories
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2021-21271
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.74% / 75.22%
||
7 Day CHG~0.00%
Published-26 Jan, 2021 | 20:55
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service in TenderMint Core

Tendermint Core is an open source Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine - written in any programming language - and securely replicates it on many machines. Tendermint Core v0.34.0 introduced a new way of handling evidence of misbehavior. As part of this, we added a new Timestamp field to Evidence structs. This timestamp would be calculated using the same algorithm that is used when a block is created and proposed. (This algorithm relies on the timestamp of the last commit from this specific block.) In Tendermint Core v0.34.0-v0.34.2, the consensus reactor is responsible for forming DuplicateVoteEvidence whenever double signs are observed. However, the current block is still “in flight” when it is being formed by the consensus reactor. It hasn’t been finalized through network consensus yet. This means that different nodes in the network may observe different “last commits” when assigning a timestamp to DuplicateVoteEvidence. In turn, different nodes could form DuplicateVoteEvidence objects at the same height but with different timestamps. One DuplicateVoteEvidence object (with one timestamp) will then eventually get finalized in the block, but this means that any DuplicateVoteEvidence with a different timestamp is considered invalid. Any node that formed invalid DuplicateVoteEvidence will continue to propose invalid evidence; its peers may see this, and choose to disconnect from this node. This bug means that double signs are DoS vectors in Tendermint Core v0.34.0-v0.34.2. Tendermint Core v0.34.3 is a security release which fixes this bug. As of v0.34.3, DuplicateVoteEvidence is no longer formed by the consensus reactor; rather, the consensus reactor passes the Votes themselves into the EvidencePool, which is now responsible for forming DuplicateVoteEvidence. The EvidencePool has timestamp info that should be consistent across the network, which means that DuplicateVoteEvidence formed in this reactor should have consistent timestamps. This release changes the API between the consensus and evidence reactors.

Action-Not Available
Vendor-tenderminttendermint
Product-tenderminttendermint
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-11635
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.42% / 33.94%
||
7 Day CHG~0.00%
Published-12 Oct, 2025 | 14:02
Updated-30 Oct, 2025 | 19:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tomofun Furbo 360 File Upload resource consumption

A weakness has been identified in Tomofun Furbo 360 up to FB0035_FW_036. This vulnerability affects unknown code of the component File Upload. This manipulation causes resource consumption. Remote exploitation of the attack is possible. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-furboTomofun
Product-furbo_360_dog_camera_firmwarefurbo_360_dog_cameraFurbo 360
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-404
Improper Resource Shutdown or Release
CVE-2025-11681
Matching Score-4
Assigner-M-Files Corporation
ShareView Details
Matching Score-4
Assigner-M-Files Corporation
CVSS Score-7.1||HIGH
EPSS-0.39% / 31.66%
||
7 Day CHG+0.03%
Published-17 Nov, 2025 | 11:30
Updated-23 Feb, 2026 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service condition in M-Files Server

Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash.

Action-Not Available
Vendor-M-Files Oy
Product-m-files_serverM-Files Server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-40980
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 15.08%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 07:31
Updated-29 Apr, 2026 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-spring_aiSpring AI
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2021-22216
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.03% / 59.82%
||
7 Day CHG~0.00%
Published-08 Jun, 2021 | 19:19
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2021-22139
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-1.00% / 58.86%
||
7 Day CHG~0.00%
Published-13 May, 2021 | 17:35
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2019-9516
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-7.5||HIGH
EPSS-56.26% / 98.94%
||
7 Day CHG~0.00%
Published-13 Aug, 2019 | 20:50
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Action-Not Available
Vendor-n/aCanonical Ltd.Apple Inc.F5, Inc.The Apache Software FoundationFedora ProjectOracle CorporationRed Hat, Inc.McAfee, LLCDebian GNU/LinuxopenSUSENode.js (OpenJS Foundation)Synology, Inc.
Product-ubuntu_linuxvs960hdsoftware_collectionsenterprise_linuxquayskynasswiftniodiskstation_managernode.jsdebian_linuxgraalvmopenshift_service_meshfedoramac_os_xvs960hd_firmwarenginxtraffic_serverjboss_enterprise_application_platformjboss_core_servicesweb_gatewayleapn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-39374
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.94% / 57.01%
||
7 Day CHG~0.00%
Published-26 May, 2023 | 13:44
Updated-13 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Synapse Denial of service due to incorrect application of event authorization rules during state resolution

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0

Action-Not Available
Vendor-The Matrix.org Foundation
Product-synapsesynapse
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-40150
Matching Score-4
Assigner-Google LLC
ShareView Details
Matching Score-4
Assigner-Google LLC
CVSS Score-6.5||MEDIUM
EPSS-1.30% / 67.30%
||
7 Day CHG+0.05%
Published-16 Sep, 2022 | 00:00
Updated-21 Apr, 2025 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stack Buffer Overflow in Jettison

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

Action-Not Available
Vendor-jettison_projectJettisonDebian GNU/Linux
Product-jettisondebian_linuxJettison
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-674
Uncontrolled Recursion
CVE-2022-39209
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.70% / 74.67%
||
7 Day CHG+0.06%
Published-15 Sep, 2022 | 00:00
Updated-23 Apr, 2025 | 17:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in cmark-gfm

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

Action-Not Available
Vendor-Fedora ProjectGitHub, Inc.
Product-cmark-gfmfedoracmark-gfm
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-407
Inefficient Algorithmic Complexity
CVE-2022-39346
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.5||LOW
EPSS-0.99% / 58.60%
||
7 Day CHG~0.00%
Published-25 Nov, 2022 | 00:00
Updated-23 Apr, 2025 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing length validation of user displayname in nextcloud server

Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue.

Action-Not Available
Vendor-Fedora ProjectNextcloud GmbH
Product-nextcloud_enterprise_serverfedoranextcloud_serversecurity-advisories
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-22470
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.5||LOW
EPSS-0.66% / 47.60%
||
7 Day CHG~0.00%
Published-14 Jan, 2023 | 00:32
Updated-10 Mar, 2025 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nextcloud Deck vulnerable to uncontrolled resource consumption

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A database error can be generated potentially causing a DoS when performed multiple times. There are currently no known workarounds. It is recommended that the Nextcloud Server is upgraded to 1.6.5 or 1.7.3 or 1.8.2.

Action-Not Available
Vendor-Nextcloud GmbH
Product-decksecurity-advisories
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-20
Improper Input Validation
CVE-2022-4003
Matching Score-4
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-4
Assigner-Lenovo Group Ltd.
CVSS Score-2.7||LOW
EPSS-0.40% / 31.93%
||
7 Day CHG~0.00%
Published-31 Jul, 2024 | 20:29
Updated-13 Aug, 2024 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial-of-service vulnerability could allow an authenticated user to trigger an internal service restart via a specially crafted API request.

Action-Not Available
Vendor-Motorola Mobility LLC. (Lenovo Group Limited)
Product-q14q14_firmwareQ14 Mesh Router Firmware
CWE ID-CWE-400
Uncontrolled Resource Consumption
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • Next
Details not found