Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-29168

Summary
Assigner-apache
Assigner Org ID-f0158376-9dc2-43b6-827c-5f631a4d8d09
Published At-05 May, 2026 | 13:10
Updated At-05 May, 2026 | 16:31
Rejected At-
Credits

Apache HTTP Server: mod_md unrestricted OCSP response

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:apache
Assigner Org ID:f0158376-9dc2-43b6-827c-5f631a4d8d09
Published At:05 May, 2026 | 13:10
Updated At:05 May, 2026 | 16:31
Rejected At:
▼CVE Numbering Authority (CNA)
Apache HTTP Server: mod_md unrestricted OCSP response

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Affected Products
Vendor
The Apache Software FoundationApache Software Foundation
Product
Apache HTTP Server
CPEs
  • cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • From 2.4.30 through 2.4.66 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770: Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-770
Description: CWE-770: Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Textual description of severity
text:
low
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Pavel Kohout, Aisle Research, Aisle.com
Timeline
EventDate
reported2026-03-02 12:00:00
fixed in 2.4.x by r19333522026-05-04 12:00:00
Event: reported
Date: 2026-03-02 12:00:00
Event: fixed in 2.4.x by r1933352
Date: 2026-05-04 12:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://httpd.apache.org/security/vulnerabilities_24.html
vendor-advisory
Hyperlink: https://httpd.apache.org/security/vulnerabilities_24.html
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/05/05/6
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/05/05/6
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@apache.org
Published At:05 May, 2026 | 14:16
Updated At:06 May, 2026 | 18:39

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CPE Matches
The Apache Software Foundation
apache
>>http_server>>Versions from 2.4.30(inclusive) to 2.4.67(exclusive)
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-770Secondarysecurity@apache.org
CWE ID: CWE-770
Type: Secondary
Source: security@apache.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://httpd.apache.org/security/vulnerabilities_24.htmlsecurity@apache.org
Release Notes
Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/05/05/6af854a3a-2127-422b-91ae-364da2661108
Mailing List
Third Party Advisory
Hyperlink: https://httpd.apache.org/security/vulnerabilities_24.html
Source: security@apache.org
Resource:
Release Notes
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2026/05/05/6
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mailing List
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

60Records found
CVE-2026-41284
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-12 May, 2026 | 15:14
Updated-12 May, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-Apache Tomcat
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-37358
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-8.6||HIGH
EPSS-0.76% / 73.39%
||
7 Day CHG~0.00%
Published-06 Feb, 2025 | 11:22
Updated-29 Sep, 2025 | 21:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache James: denial of service through the use of IMAP literals

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

Action-Not Available
Vendor-The Apache Software Foundation
Product-james_serverApache James server
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-48988
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.76% / 73.42%
||
7 Day CHG~0.00%
Published-16 Jun, 2025 | 14:13
Updated-03 Nov, 2025 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tomcat: FileUpload large number of parts with headers DoS

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-tomcatApache Tomcat
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-69233
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.02% / 6.22%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 12:19
Updated-09 May, 2026 | 07:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CloudStack: Domain/account resources limits not honored

Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-cloudstackApache CloudStack
CWE ID-CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2021-43045
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.37% / 58.92%
||
7 Day CHG~0.00%
Published-06 Jan, 2022 | 18:00
Updated-04 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Possible DOS vulnerabilities in C# Avro SDK

A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-avroApache Avro
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2021-35517
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.32% / 80.02%
||
7 Day CHG~0.00%
Published-13 Jul, 2021 | 07:15
Updated-04 Aug, 2024 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Commons Compress 1.1 to 1.20 denial of service vulnerability

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Action-Not Available
Vendor-NetApp, Inc.The Apache Software FoundationOracle Corporation
Product-healthcare_data_repositorypeoplesoft_enterprise_peopletoolsprimavera_unifiercommunications_cloud_native_core_service_communication_proxybanking_digital_experiencecommunications_billing_and_revenue_managementutilities_testing_acceleratoroncommand_insightcommunications_messaging_serverfinancial_services_crime_and_compliance_management_studiocommunications_session_route_manageractive_iq_unified_managerfinancial_services_enterprise_case_managementbanking_party_managementbanking_trade_financecommunications_diameter_intelligence_hubbanking_apisbanking_enterprise_default_managementbanking_paymentscommunications_cloud_native_core_unified_data_repositoryflexcube_universal_bankingcommons_compressinsurance_policy_administrationcommerce_guided_searchbanking_treasury_managementwebcenter_portalbusiness_process_management_suiteApache Commons Compress
CWE ID-CWE-130
Improper Handling of Length Parameter Inconsistency
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2021-35516
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.74% / 82.66%
||
7 Day CHG~0.00%
Published-13 Jul, 2021 | 07:15
Updated-04 Aug, 2024 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Commons Compress 1.6 to 1.20 denial of service vulnerability

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Action-Not Available
Vendor-NetApp, Inc.The Apache Software FoundationOracle Corporation
Product-healthcare_data_repositorypeoplesoft_enterprise_peopletoolsprimavera_unifiercommunications_cloud_native_core_automated_test_suitecommunications_cloud_native_core_service_communication_proxybanking_digital_experiencecommunications_billing_and_revenue_managementoncommand_insightutilities_testing_acceleratorcommunications_messaging_serverfinancial_services_crime_and_compliance_management_studiocommunications_session_route_manageractive_iq_unified_managerfinancial_services_enterprise_case_managementbanking_party_managementcommunications_diameter_intelligence_hubbanking_enterprise_default_managementcommunications_cloud_native_core_unified_data_repositoryflexcube_universal_bankingcommons_compressinsurance_policy_administrationcommerce_guided_searchwebcenter_portalbusiness_process_management_suiteApache Commons Compress
CWE ID-CWE-130
Improper Handling of Length Parameter Inconsistency
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2021-31811
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-5.5||MEDIUM
EPSS-0.52% / 66.99%
||
7 Day CHG~0.00%
Published-12 Jun, 2021 | 09:45
Updated-03 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file

In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

Action-Not Available
Vendor-The Apache Software FoundationFedora ProjectOracle Corporation
Product-banking_supply_chain_financeprimavera_unifierpdfboxflexcube_universal_bankingcommunications_messaging_serverfedoraoutside_in_technologybanking_corporate_lending_process_managementbanking_credit_facilities_process_managementbanking_treasury_managementretail_customer_management_and_segmentation_foundationbanking_trade_financeApache PDFBox
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-26308
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-5.5||MEDIUM
EPSS-0.39% / 60.28%
||
7 Day CHG~0.00%
Published-19 Feb, 2024 | 08:31
Updated-27 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-commons_compressApache Commons Compress
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-38507
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.26% / 48.81%
||
7 Day CHG~0.00%
Published-15 Sep, 2023 | 19:15
Updated-25 Sep, 2024 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Strapi Improper Rate Limiting vulnerability

Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.

Action-Not Available
Vendor-Strapi, Inc.
Product-strapistrapi
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
  • Previous
  • 1
  • 2
  • Next
Details not found