Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-42127

Summary
Assigner-GRAFANA
Assigner Org ID-57da9224-a3e2-4646-9d0e-c4dc2e05e7da
Published At-22 Jun, 2026 | 16:31
Updated At-22 Jun, 2026 | 17:28
Rejected At-
Credits

Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GRAFANA
Assigner Org ID:57da9224-a3e2-4646-9d0e-c4dc2e05e7da
Published At:22 Jun, 2026 | 16:31
Updated At:22 Jun, 2026 | 17:28
Rejected At:
▼CVE Numbering Authority (CNA)
Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.

Affected Products
Vendor
Grafana LabsGrafana
Product
Grafana Enterprise
Default Status
unaffected
Versions
Affected
  • From 0 through 11.6.14 (semver)
  • From 0 through 12.2.8 (semver)
  • From 0 through 12.3.6 (semver)
  • From 0 through 12.4.3 (semver)
  • From 0 through 13.0.1 (semver)
Vendor
Grafana LabsGrafana
Product
Grafana OSS
Default Status
unaffected
Versions
Affected
  • From 11.6.0 through 11.6.14 (semver)
  • From 12.2.0 through 12.2.8 (semver)
  • From 12.3.0 through 12.3.6 (semver)
  • From 12.4.0 through 12.4.3 (semver)
  • From 13.0.0 through 13.0.1 (semver)
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Charlie Lewis
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://grafana.com/security/security-advisories/cve-2026-42127
vendor-advisory
Hyperlink: https://grafana.com/security/security-advisories/cve-2026-42127
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770 Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-770
Description: CWE-770 Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@grafana.com
Published At:22 Jun, 2026 | 18:16
Updated At:30 Jun, 2026 | 14:49

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Grafana Labs
grafana
>>grafana>>Versions up to 11.6.14(inclusive)
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Grafana Labs
grafana
>>grafana>>Versions from 12.2.0(inclusive) to 12.2.8(inclusive)
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Grafana Labs
grafana
>>grafana>>Versions from 12.3.0(inclusive) to 12.3.6(inclusive)
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Grafana Labs
grafana
>>grafana>>Versions from 12.4.0(inclusive) to 12.4.3(inclusive)
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Grafana Labs
grafana
>>grafana>>Versions from 13.0.0(inclusive) to 13.0.1(inclusive)
cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*
Weaknesses
CWE IDTypeSource
CWE-770Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-770
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://grafana.com/security/security-advisories/cve-2026-42127security@grafana.com
Broken Link
Hyperlink: https://grafana.com/security/security-advisories/cve-2026-42127
Source: security@grafana.com
Resource:
Broken Link

Change History

0
Information is not available yet

Similar CVEs

795Records found

CVE-2026-27880
Matching Score-10
Assigner-Grafana Labs
ShareView Details
Matching Score-10
Assigner-Grafana Labs
CVSS Score-7.5||HIGH
EPSS-0.77% / 51.17%
||
7 Day CHG+0.21%
Published-27 Mar, 2026 | 14:12
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenFeature evaluation API reads input data with no bounds

The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

Action-Not Available
Vendor-Red Hat, Inc.Grafana Labs
Product-grafanaGrafanaRed Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-21728
Matching Score-10
Assigner-Grafana Labs
ShareView Details
Matching Score-10
Assigner-Grafana Labs
CVSS Score-7.5||HIGH
EPSS-0.65% / 46.41%
||
7 Day CHG+0.26%
Published-24 Apr, 2026 | 08:00
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tempo query limit results in unbounded memory allocation

Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

Action-Not Available
Vendor-Red Hat, Inc.Grafana Labs
Product-tempoTempoMulticluster Global HubMulticluster Global Hub 1.3.4Multicluster Global Hub 1.5.4Multicluster Global Hub 1.4.5Red Hat Ceph Storage 5Multicluster Global Hub 1.7.1Red Hat OpenShift distributed tracing 3Logging Subsystem for Red Hat OpenShiftRed Hat Ceph Storage 6Red Hat Enterprise Linux 9Red Hat Advanced Cluster Management for Kubernetes 2Red Hat Ceph Storage 9Red Hat Enterprise Linux 10Multicluster Global Hub 1.6.2
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2021-28148
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.50% / 87.73%
||
7 Day CHG~0.00%
Published-22 Mar, 2021 | 14:06
Updated-03 Aug, 2024 | 21:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.

Action-Not Available
Vendor-n/aGrafana Labs
Product-grafanan/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-27358
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-83.04% / 99.63%
||
7 Day CHG~0.00%
Published-18 Mar, 2021 | 19:43
Updated-03 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.

Action-Not Available
Vendor-n/aGrafana LabsNetApp, Inc.
Product-e-series_performance_analyzergrafanan/a
CVE-2026-21720
Matching Score-8
Assigner-Grafana Labs
ShareView Details
Matching Score-8
Assigner-Grafana Labs
CVSS Score-7.5||HIGH
EPSS-0.62% / 45.23%
||
7 Day CHG+0.15%
Published-27 Jan, 2026 | 09:07
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.

Action-Not Available
Vendor-Red Hat, Inc.Grafana Labs
Product-grafanagrafana/grafanagrafana/grafana-enterpriseRed Hat Ceph Storage 8Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Ceph Storage 7
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-703
Improper Check or Handling of Exceptional Conditions
CWE ID-CWE-772
Missing Release of Resource after Effective Lifetime
CVE-2023-2801
Matching Score-8
Assigner-Grafana Labs
ShareView Details
Matching Score-8
Assigner-Grafana Labs
CVSS Score-7.5||HIGH
EPSS-0.74% / 50.26%
||
7 Day CHG~0.00%
Published-06 Jun, 2023 | 18:03
Updated-13 Feb, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.

Action-Not Available
Vendor-Grafana Labs
Product-grafanaGrafana EnterpriseGrafana
CWE ID-CWE-662
Improper Synchronization
CWE ID-CWE-820
Missing Synchronization
CVE-2026-28383
Matching Score-6
Assigner-Grafana Labs
ShareView Details
Matching Score-6
Assigner-Grafana Labs
CVSS Score-6.5||MEDIUM
EPSS-0.33% / 24.73%
||
7 Day CHG~0.00%
Published-13 May, 2026 | 19:28
Updated-22 Jun, 2026 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Grafana plugin resources can lead to unbounded memory allocation

A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can exploit this to trigger an out-of-memory condition, potentially causing a denial of service.

Action-Not Available
Vendor-Grafana Labs
Product-grafanaGrafana OSS
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-28376
Matching Score-6
Assigner-Grafana Labs
ShareView Details
Matching Score-6
Assigner-Grafana Labs
CVSS Score-6.5||MEDIUM
EPSS-0.33% / 24.73%
||
7 Day CHG~0.00%
Published-13 May, 2026 | 19:28
Updated-22 Jun, 2026 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Grafana Live push endpoint allows unbounded memory allocation leading to OOM

The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue.

Action-Not Available
Vendor-Grafana Labs
Product-grafanaGrafana OSS
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-27556
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.01% / 58.95%
||
7 Day CHG~0.00%
Published-28 Apr, 2023 | 00:56
Updated-30 Jan, 2025 | 20:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Safer Payments denial of service

IBM Counter Fraud Management for Safer Payments 6.1.0.00, 6.2.0.00, 6.3.0.00 through 6.3.1.03, 6.4.0.00 through 6.4.2.02 and 6.5.0.00 does not properly allocate resources without limits or throttling which could allow a remote attacker to cause a denial of service. IBM X-Force ID: 249190.

Action-Not Available
Vendor-IBM Corporation
Product-safer_paymentsSafer Payments
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-59375
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.28% / 66.47%
||
7 Day CHG~0.00%
Published-15 Sep, 2025 | 00:00
Updated-12 May, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.

Action-Not Available
Vendor-libexpat_projectlibexpat projectSiemens AG
Product-libexpatlibexpatSCALANCE XRM334 (2x230 V AC, 12xFO)SIMATIC S7-1500 CPU 1518F-4 PN/DP MFPSCALANCE XRM334 (230 V AC, 12xFO)SCALANCE XRH334 (24 V DC, 8xFO, CC)SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 familySCALANCE XRM334 (2x230 V AC, 8xFO)SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+)SCALANCE XRM334 (24 V DC, 8xFO)SCALANCE XCM332SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+)SCALANCE XRM334 (230 V AC, 8xFO)SIPLUS S7-1500 CPU 1518-4 PN/DP MFPSCALANCE XCH328RUGGEDCOM RST2428PSCALANCE XCM324SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+)SIMATIC S7-1500 CPU 1518-4 PN/DP MFPSCALANCE XRM334 (24 V DC, 12xFO)SCALANCE XCM328
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-23837
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.19% / 64.26%
||
7 Day CHG~0.00%
Published-26 Feb, 2024 | 16:17
Updated-03 Nov, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LibHTP unbounded folded header handling leads to denial service

LibHTP is a security-aware parser for the HTTP protocol. Crafted traffic can cause excessive processing time of HTTP headers, leading to denial of service. This issue is addressed in 0.5.46.

Action-Not Available
Vendor-oisfOISFoisfFedora Project
Product-fedoralibhtplibhtpfedoralibhtp
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-9675
Matching Score-4
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
ShareView Details
Matching Score-4
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
CVSS Score-7.5||HIGH
EPSS-0.43% / 34.28%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 16:20
Updated-25 Jun, 2026 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass

Impact: The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service. Affected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint. This is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected. Patches: Upgrade to undici >= 8.5.0. Workarounds: No workaround is available. The fix must be applied through an upgrade.

Action-Not Available
Vendor-undiciNode.js (OpenJS Foundation)
Product-undiciundici
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-8486
Matching Score-4
Assigner-Progress Software Corporation
ShareView Details
Matching Score-4
Assigner-Progress Software Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 31.49%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 14:11
Updated-21 May, 2026 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation

Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Flooding. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

Action-Not Available
Vendor-Progress Software Corporation
Product-moveit_automationMOVEit Automation
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-7776
Matching Score-4
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-4
Assigner-HashiCorp Inc.
CVSS Score-7.5||HIGH
EPSS-0.20% / 10.03%
||
7 Day CHG~0.00%
Published-04 May, 2026 | 21:34
Updated-05 May, 2026 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Boundary Workers Vulnerable to Denial of Service During TLS Handshake

Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.

Action-Not Available
Vendor-HashiCorp, Inc.
Product-Boundary EnterpriseBoundary
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-59830
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.53% / 41.19%
||
7 Day CHG~0.00%
Published-25 Sep, 2025 | 14:37
Updated-10 Oct, 2025 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.

Action-Not Available
Vendor-rackrack
Product-rackrack
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-22403
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-7.5||HIGH
EPSS-0.64% / 46.37%
||
7 Day CHG~0.00%
Published-12 Jan, 2023 | 00:00
Updated-07 Apr, 2025 | 19:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS: QFX10K Series: An ICCP flap will be observed due to excessive specific traffic

An Allocation of Resources Without Limits or Throttling vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows a network-based, unauthenticated attacker to cause a Denial of Service (DoS). On QFX10K Series, Inter-Chassis Control Protocol (ICCP) is used in MC-LAG topologies to exchange control information between the devices in the topology. ICCP connection flaps and sync issues will be observed due to excessive specific traffic to the local device. This issue affects Juniper Networks Junos OS on QFX10K Series: * All versions prior to 20.2R3-S7; * 20.4 versions prior to 20.4R3-S4; * 21.1 versions prior to 21.1R3-S3; * 21.2 versions prior to 21.2R3-S1; * 21.3 versions prior to 21.3R3; * 21.4 versions prior to 21.4R3; * 22.1 versions prior to 22.1R2.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-qfx10002qfx10016junosqfx10008Junos OS
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-7541
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
ShareView Details
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
CVSS Score-6.3||MEDIUM
EPSS-0.39% / 30.79%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 21:18
Updated-11 May, 2026 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program.

Action-Not Available
Vendor-GitHub, Inc.
Product-enterprise_serverEnterprise Server
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-7768
Matching Score-4
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
ShareView Details
Matching Score-4
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
CVSS Score-7.5||HIGH
EPSS-0.28% / 20.23%
||
7 Day CHG~0.00%
Published-04 May, 2026 | 19:14
Updated-29 May, 2026 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
@fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.

Action-Not Available
Vendor-fastify@fastify/accepts-serializer
Product-fastify\/accepts-serializer@fastify/accepts-serializer
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-26480
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-5.3||MEDIUM
EPSS-0.43% / 34.88%
||
7 Day CHG+0.04%
Published-10 Apr, 2025 | 02:22
Updated-11 Jul, 2025 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.0.0, contains an uncontrolled resource consumption vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.

Action-Not Available
Vendor-Dell Inc.
Product-powerscale_onefsPowerScale OneFS
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-23979
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-7.5||HIGH
EPSS-0.34% / 26.22%
||
7 Day CHG~0.00%
Published-14 Feb, 2024 | 16:30
Updated-23 Jan, 2025 | 19:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BIG-IP SSL Client Certificate LDAP and CRLDP Authentication profiles vulnerability

When SSL Client Certificate LDAP or Certificate Revocation List Distribution Point (CRLDP) authentication profile is configured on a virtual server, undisclosed requests can cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Action-Not Available
Vendor-F5, Inc.
Product-big-ip_policy_enforcement_managerbig-ip_domain_name_systembig-ip_fraud_protection_servicebig-ip_link_controllerbig-ip_application_acceleration_managerbig-iq_centralized_managementbig-ip_access_policy_managerbig-ip_global_traffic_managerbig-ip_advanced_firewall_managerbig-ip_application_security_managerbig-ip_local_traffic_managerbig-ip_analyticsBIG-IP
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-59459
Matching Score-4
Assigner-SICK AG
ShareView Details
Matching Score-4
Assigner-SICK AG
CVSS Score-5.5||MEDIUM
EPSS-0.32% / 23.30%
||
7 Day CHG~0.00%
Published-27 Oct, 2025 | 10:09
Updated-27 Feb, 2026 | 08:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial-of-service (DoS) via resource consumption

An attacker that gains SSH access to an unprivileged account may be able to disrupt services (including SSH), causing persistent loss of availability.

Action-Not Available
Vendor-SICK AG
Product-tloc100-100tloc100-100_firmwareTLOC100-100
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-59778
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-7.7||HIGH
EPSS-0.30% / 22.30%
||
7 Day CHG~0.00%
Published-15 Oct, 2025 | 13:55
Updated-26 Feb, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VELOS partition container network vulnerability

When the Allowed IP Addresses feature is configured on the F5OS-C partition control plane, undisclosed traffic can cause multiple containers to terminate.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-F5, Inc.
Product-f5os-cF5OS - Chassis
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-58446
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.50% / 38.87%
||
7 Day CHG~0.00%
Published-06 Sep, 2025 | 19:06
Updated-18 Sep, 2025 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
xgrammar vulnerable to denial of service by huge enum grammar

xgrammar is an open-source library for efficient, flexible, and portable structured generation. A grammar optimizer introduced in 0.1.23 processes large grammars (>100k characters) at very low rates, and can be used for DOS of model providers. This issue is fixed in version 0.1.24.

Action-Not Available
Vendor-mlc-aimlc-ai
Product-xgrammarxgrammar
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-1274
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-7.5||HIGH
EPSS-1.97% / 77.98%
||
7 Day CHG~0.00%
Published-18 Apr, 2018 | 16:00
Updated-26 Jun, 2026 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

Action-Not Available
Vendor-VMware (Broadcom Inc.)Broadcom Inc.
Product-spring_data_commonsspring_data_restSpring Framework
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-23835
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.93% / 56.13%
||
7 Day CHG~0.00%
Published-26 Feb, 2024 | 15:35
Updated-13 Feb, 2025 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Suricata's pgsql: memory exhaustion use on record parsing

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.3, excessive memory use during pgsql parsing could lead to OOM-related crashes. This vulnerability is patched in 7.0.3. As workaround, users can disable the pgsql app layer parser.

Action-Not Available
Vendor-oisfOISFoisfFedora Project
Product-fedorasuricatasuricatasuricata
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-47108
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.59% / 72.71%
||
7 Day CHG+0.01%
Published-10 Nov, 2023 | 18:31
Updated-28 Oct, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.

Action-Not Available
Vendor-opentelemetryopen-telemetry
Product-opentelemetryopentelemetry-go-contrib
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-8488
Matching Score-4
Assigner-Progress Software Corporation
ShareView Details
Matching Score-4
Assigner-Progress Software Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 28.39%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 14:14
Updated-21 May, 2026 | 19:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation

Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Excessive Allocation. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

Action-Not Available
Vendor-Progress Software Corporation
Product-moveit_automationMOVEit Automation
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-5807
Matching Score-4
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-4
Assigner-HashiCorp Inc.
CVSS Score-7.5||HIGH
EPSS-0.72% / 49.32%
||
7 Day CHG+0.26%
Published-17 Apr, 2026 | 03:22
Updated-30 Jun, 2026 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations

Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.

Action-Not Available
Vendor-HashiCorp, Inc.Red Hat, Inc.
Product-vaultVaultVault EnterpriseRed Hat Openshift Data Foundation 4Red Hat OpenShift Container Platform 4
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-25032
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-0.32% / 23.92%
||
7 Day CHG~0.00%
Published-11 Jun, 2025 | 17:26
Updated-24 Aug, 2025 | 11:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Cognos Analytics denial of service

IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 could allow an authenticated user to cause a denial of service by sending a specially crafted request that would exhaust memory resources.

Action-Not Available
Vendor-IBM Corporation
Product-Cognos Analytics
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-4647
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.61% / 44.96%
||
7 Day CHG~0.00%
Published-01 Sep, 2023 | 10:30
Updated-02 Jun, 2026 | 04:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which the projects API pagination can be skipped, potentially leading to DoS on certain instances.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-58582
Matching Score-4
Assigner-SICK AG
ShareView Details
Matching Score-4
Assigner-SICK AG
CVSS Score-5.3||MEDIUM
EPSS-0.52% / 40.09%
||
7 Day CHG+0.01%
Published-06 Oct, 2025 | 06:50
Updated-27 Jan, 2026 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption via log file

If a user tries to login but the provided credentials are incorrect a log is created. The data for this POST requests is not validated and it’s possible to send giant payloads which are then logged.

Action-Not Available
Vendor-SICK AG
Product-enterprise_analyticsEnterprise Analytics
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-58754
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.10% / 61.62%
||
7 Day CHG~0.00%
Published-12 Sep, 2025 | 01:16
Updated-16 Jan, 2026 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Axios is vulnerable to DoS attack through lack of data size check

Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue.

Action-Not Available
Vendor-axiosaxios
Product-axiosaxios
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-10790
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.53% / 71.64%
||
7 Day CHG~0.00%
Published-25 Aug, 2021 | 13:54
Updated-05 Aug, 2024 | 07:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The AP4_CttsAtom class in Core/Ap4CttsAtom.cpp in Bento4 1.5.1.0 allows remote attackers to cause a denial of service (application crash), related to a memory allocation failure, as demonstrated by mp2aac.

Action-Not Available
Vendor-n/aAxiomatic Systems, LLC
Product-bento4n/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-46695
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-49.77% / 98.76%
||
7 Day CHG~0.00%
Published-02 Nov, 2023 | 00:00
Updated-02 Aug, 2024 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

Action-Not Available
Vendor-n/aDjango
Product-djangon/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-4486
Matching Score-4
Assigner-Johnson Controls
ShareView Details
Matching Score-4
Assigner-Johnson Controls
CVSS Score-7.5||HIGH
EPSS-0.83% / 53.00%
||
7 Day CHG~0.00%
Published-07 Dec, 2023 | 19:55
Updated-28 May, 2025 | 13:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in Metasys and Facility Explorer

Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to versions 11.0.6 and 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.

Action-Not Available
Vendor-johnsoncontrolsJohnson Controls
Product-snc25150-04_firmwaresnc25150-0_firmwaresne22000_firmwaresnc25150-04f4-snc_firmwarenae55sne11000_firmwaresnc25150-0sne11000snc16120-04_firmwaresne10500_firmwaref4-sncsnc16120-0snc16120-0_firmwaresne10500nae55_firmwaresne22000snc16120-04sne110l0sne110l0_firmwareFacility Explorer F4-SNCMetasys NAE55/SNE/SNC
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-44271
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.04% / 59.76%
||
7 Day CHG~0.00%
Published-03 Nov, 2023 | 00:00
Updated-02 Aug, 2024 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

Action-Not Available
Vendor-n/aFedora ProjectPython Software Foundation
Product-pillowfedoran/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-45142
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.36% / 68.43%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 16:33
Updated-13 Feb, 2025 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

Action-Not Available
Vendor-opentelemetryopen-telemetry
Product-opentelemetryopentelemetry-go-contrib
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-24006
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.40% / 32.34%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 02:32
Updated-06 Apr, 2026 | 13:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Seroval affected by Denial of Service via Deeply Nested Objects

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.

Action-Not Available
Vendor-lxsmnsyclxsmnsyc
Product-serovalseroval
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-45371
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.51% / 39.63%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 00:00
Updated-19 Sep, 2024 | 17:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is no rate limit for merging items.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-56223
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.54% / 41.33%
||
7 Day CHG~0.00%
Published-20 Oct, 2025 | 00:00
Updated-27 Oct, 2025 | 13:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to cause a Denial of Service (DoS) via uploading an excessive number of files.

Action-Not Available
Vendor-ascertian/a
Product-signinghubn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-22773
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.40% / 32.32%
||
7 Day CHG~0.00%
Published-10 Jan, 2026 | 06:39
Updated-27 Jan, 2026 | 21:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vLLM is vulnerable to DoS in Idefics3 vision models via image payload with ambiguous dimensions

vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.

Action-Not Available
Vendor-vllmvllm-project
Product-vllmvllm
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-44191
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-7.5||HIGH
EPSS-0.52% / 40.07%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 23:03
Updated-19 Sep, 2024 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS: QFX5000 Series and EX4000 Series: Denial of Service (DoS) on a large scale VLAN due to PFE hogging

An Allocation of Resources Without Limits or Throttling vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause Denial of Service (DoS). On all Junos OS QFX5000 Series and EX4000 Series platforms, when a high number of VLANs are configured, a specific DHCP packet will cause PFE hogging which will lead to dropping of socket connections. This issue affects: Juniper Networks Junos OS on QFX5000 Series and EX4000 Series * 21.1 versions prior to 21.1R3-S5; * 21.2 versions prior to 21.2R3-S5; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S1; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2. This issue does not affect Juniper Networks Junos OS versions prior to 21.1R1

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-qfk5210qfk5700ex4400ex9200ex4100_multigigabitex4300_multigigabitex4300ex4400-24xex3400ex9250ex2300ex4650ex4100-fex4400_multigigabitqfk5110ex4100ex4600qfk5130junosqfk5200ex2300-cex2300_multigigabitqfk5230qfk5220qfk5120Junos OSjunos_os
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-43768
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.75% / 50.41%
||
7 Day CHG~0.00%
Published-27 Mar, 2024 | 00:00
Updated-05 Aug, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Couchbase Server 6.6.x through 7.2.0, before 7.1.5 and 7.2.1. Unauthenticated users may cause memcached to run out of memory via large commands.

Action-Not Available
Vendor-n/aCouchbase, Inc.
Product-n/acouchbase_server
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-57080
Matching Score-4
Assigner-CPAN Security Group
ShareView Details
Matching Score-4
Assigner-CPAN Security Group
CVSS Score-7.5||HIGH
EPSS-0.26% / 17.64%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 11:04
Updated-30 Jun, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix. The peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit. Peer connections are unauthenticated, so any peer in the swarm exhausts the downloading process's memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous.

Action-Not Available
Vendor-SANKO
Product-Net::BitTorrent
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-22353
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.82% / 52.67%
||
7 Day CHG~0.00%
Published-31 Mar, 2024 | 11:43
Updated-01 Aug, 2024 | 22:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM WebSphere Application Server Liberty denial of service

IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 is vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 280400.

Action-Not Available
Vendor-IBM Corporation
Product-websphere_application_serverWebSphere Application Server Liberty
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-42457
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.82% / 52.82%
||
7 Day CHG~0.00%
Published-21 Sep, 2023 | 14:49
Updated-13 Feb, 2025 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
plone.rest vulnerable to Denial of Service when ++api++ is used many times

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache).

Action-Not Available
Vendor-Plone Foundation
Product-restplone.rest
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-43642
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.04% / 59.78%
||
7 Day CHG~0.00%
Published-25 Sep, 2023 | 19:03
Updated-24 Sep, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing upper bound check on chunk length in snappy-java

snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.

Action-Not Available
Vendor-xerialxerial
Product-snappy-javasnappy-java
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-21634
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.82% / 52.75%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 22:46
Updated-03 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ion Java StackOverflow vulnerability

Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.

Action-Not Available
Vendor-amazonamazon-ion
Product-ionion-java
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-22182
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.52% / 40.55%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 01:17
Updated-17 Mar, 2026 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wpDiscuz before 7.6.47 - Unauthenticated Email Notification Flood via wpdCheckNotificationType

wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting.

Action-Not Available
Vendor-gvectorsgVectors
Product-wpdiscuzwpDiscuz
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-862
Missing Authorization
CVE-2018-0358
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-3.45% / 87.56%
||
7 Day CHG~0.00%
Published-21 Jun, 2018 | 11:00
Updated-29 Nov, 2024 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the file descriptor handling of Cisco TelePresence Video Communication Server (VCS) Expressway could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to exhaustion of file descriptors while processing a high volume of traffic. An attacker could exploit this vulnerability by establishing a high number of concurrent TCP connections to the vulnerable system. An exploit could allow the attacker to cause a restart in a specific process, resulting in a temporary interruption of service. Cisco Bug IDs: CSCvh77056, CSCvh77058, CSCvh95264.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-telepresence_video_communication_serverCisco TelePresence Video Communication Server unknown
CWE ID-CWE-769
DEPRECATED: Uncontrolled File Descriptor Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 15
  • 16
  • Next
Details not found