Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-54428

Summary
Assigner-apache
Assigner Org ID-f0158376-9dc2-43b6-827c-5f631a4d8d09
Published At-01 Jul, 2026 | 17:03
Updated At-01 Jul, 2026 | 18:15
Rejected At-
Credits

Apache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACK

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:apache
Assigner Org ID:f0158376-9dc2-43b6-827c-5f631a4d8d09
Published At:01 Jul, 2026 | 17:03
Updated At:01 Jul, 2026 | 18:15
Rejected At:
▼CVE Numbering Authority (CNA)
Apache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACK

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.

Affected Products
Vendor
The Apache Software FoundationApache Software Foundation
Product
Apache HttpComponents Core
Collection URL
https://repo.maven.apache.org/maven2/
Package Name
org.apache.httpcomponents.core5:httpcore5-h2
Default Status
unaffected
Versions
Affected
  • From 5.5-alpha through 5.5-beta1 (maven)
  • From 5.0-alpha through 5.4.2 (maven)
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770: Allocation of Resources Without Limits or Throttling
CWECWE-400CWE-400: Uncontrolled Resource Consumption
Type: CWE
CWE ID: CWE-770
Description: CWE-770: Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-400
Description: CWE-400: Uncontrolled Resource Consumption
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Textual description of severity
text:
Important
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Henry Huang <zhuang3@paypal.com>
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://lists.apache.org/thread/5zjp8vczvxq19pw2rvhs21q446bhl0sd
vendor-advisory
Hyperlink: https://lists.apache.org/thread/5zjp8vczvxq19pw2rvhs21q446bhl0sd
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/07/01/3
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/07/01/3
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@apache.org
Published At:01 Jul, 2026 | 18:16
Updated At:01 Jul, 2026 | 19:59

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-400Secondarysecurity@apache.org
CWE-770Secondarysecurity@apache.org
CWE ID: CWE-400
Type: Secondary
Source: security@apache.org
CWE ID: CWE-770
Type: Secondary
Source: security@apache.org
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://lists.apache.org/thread/5zjp8vczvxq19pw2rvhs21q446bhl0sdsecurity@apache.org
N/A
http://www.openwall.com/lists/oss-security/2026/07/01/3af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://lists.apache.org/thread/5zjp8vczvxq19pw2rvhs21q446bhl0sd
Source: security@apache.org
Resource: N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/07/01/3
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2113Records found

CVE-2022-26477
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-2.04% / 78.80%
||
7 Day CHG~0.00%
Published-27 Jun, 2022 | 17:15
Updated-03 Aug, 2024 | 05:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service in readExternal method

The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. As a fix, we added an upper bound and termination condition in the read and write logic. We classify it as a "low-priority but useful improvement". SystemDS is a distributed system and needs to serialize/deserialize data but in many code paths (e.g., on Spark broadcast/shuffle or writing to sequence files) the byte stream is anyway protected by additional CRC fingerprints. In this particular case though, the number of decoders is upper-bounded by twice the number of columns, which means an attacker would need to modify two entries in the byte stream in a consistent manner. By adding these checks robustness was strictly improved with almost zero overhead. These code changes are available in versions higher than 2.2.1.

Action-Not Available
Vendor-The Apache Software Foundation
Product-systemdsApache SystemDS
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-43622
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-70.59% / 99.31%
||
7 Day CHG~0.00%
Published-23 Oct, 2023 | 06:50
Updated-13 Feb, 2025 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache HTTP Server: DoS in HTTP/2 with initial windows size 0

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-http_serverApache HTTP Server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-50750
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.50% / 38.86%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 09:51
Updated-02 Jul, 2026 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Pre-authentication OpenWire DoS following fix for CVE-2026-49270

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Following the fix for CVE-2026-49270 an unauthenticated attacker can now cause broker OOM by sending an repeated BrokerInfo commands without sending a ConnectionInfo, until the broker will crash with OOM. This issue affects Apache ActiveMQ Broker: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ All: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-activemq_brokeractivemqApache ActiveMQ AllApache ActiveMQApache ActiveMQ Broker
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-42440
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.63% / 45.63%
||
7 Day CHG+0.15%
Published-04 May, 2026 | 16:40
Updated-03 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache OpenNLP: OOM DoS via Unbounded Array Allocation in AbstractModelReader

OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader  Versions Affected:  before 1.9.5 before 2.5.9 before 3.0.0-M3  Description: The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field from a binary model stream and pass that value directly to an array allocation (new String[numOutcomes], new int[numOCTypes][], new String[NUM_PREDS]) without validating that the value is non-negative or within a reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an untrusted source. A crafted .bin model file in which any of these count fields is set to Integer.MAX_VALUE (or any value large enough to exhaust the available heap) triggers an OutOfMemoryError at the array allocation itself, before the corresponding label or pattern data is consumed from the stream. The error occurs very early in deserialization: for a GIS model, getOutcomes() is reached after only the model-type string, the correction constant, and the correction parameter have been read; so the attacker pays no meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any code path that deserializes a .bin model is affected, including direct use of GenericModelReader and any higher-level component that delegates to it during model load. The practical impact is denial of service against processes that load model files from untrusted or semi-trusted origins.   Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces an upper bound on each of the three count fields, checked before array allocation; counts that are negative or exceed the bound cause an IllegalArgumentException to be thrown and the read to fail fast with no large allocation. The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far below any value that would threaten heap exhaustion. Deployments that legitimately need to load models with more entries than the default can raise the limit at JVM startup by setting the OPENNLP_MAX_ENTRIES system property to the desired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid or non-positive values fall back to the default. Users who cannot upgrade immediately should treat all .bin model files as untrusted input unless their provenance is verified, and should avoid loading models supplied by end users or fetched from third-party repositories without integrity checks.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-opennlpApache OpenNLPRed Hat Fuse 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Data Grid 8Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CVE-2026-54399
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.41% / 32.84%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 17:02
Updated-01 Jul, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache HttpComponents Core: Unbounded HTTP Header/Line Length in Default Configuration

Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive header length

Action-Not Available
Vendor-The Apache Software Foundation
Product-Apache HttpComponents Core
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-50645
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.46% / 36.68%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 09:06
Updated-13 Jun, 2026 | 01:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF: No restriction on attachment headers per message

There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by imposing a maximum default of 500 attachments per message.

Action-Not Available
Vendor-The Apache Software Foundation
Product-cxfApache CXF
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-49361
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.58% / 43.44%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 07:57
Updated-01 Jun, 2026 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service. This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0. Users are recommended to upgrade to version 0.9.1, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-flussApache Fluss (incubating)
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-23913
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-2.72% / 84.21%
||
7 Day CHG+0.04%
Published-04 Feb, 2022 | 22:33
Updated-15 Jun, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ActiveMQ Artemis DoS

In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.

Action-Not Available
Vendor-The Apache Software FoundationNetApp, Inc.
Product-active_iq_unified_managerartemisoncommand_workflow_automationApache ActiveMQ Artemis
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-42402
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.71% / 49.03%
||
7 Day CHG~0.00%
Published-01 May, 2026 | 08:54
Updated-01 May, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Neethi: Policy Normalization Unbounded Resource Allocation DoS

Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion. Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.

Action-Not Available
Vendor-The Apache Software Foundation
Product-neethiApache Neethi
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-41284
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.78% / 51.42%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 15:14
Updated-14 May, 2026 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-tomcatApache Tomcat
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-23184
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-5.9||MEDIUM
EPSS-1.94% / 77.68%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 09:35
Updated-15 Dec, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF: Denial of Service vulnerability with temporary files

A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).

Action-Not Available
Vendor-The Apache Software Foundation
Product-cxfApache CXF
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2021-43045
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-2.96% / 85.52%
||
7 Day CHG~0.00%
Published-06 Jan, 2022 | 18:00
Updated-04 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Possible DOS vulnerabilities in C# Avro SDK

A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-avroApache Avro
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-34396
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-4.3||MEDIUM
EPSS-5.47% / 91.78%
||
7 Day CHG~0.00%
Published-14 Jun, 2023 | 07:50
Updated-13 Feb, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Struts: DoS via OOM owing to no sanity limit on normal form fields in multipart forms

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater

Action-Not Available
Vendor-The Apache Software Foundation
Product-strutsApache Struts
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-24998
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-46.84% / 98.68%
||
7 Day CHG~0.00%
Published-20 Feb, 2023 | 15:57
Updated-03 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Commons FileUpload, Apache Tomcat: FileUpload DoS with excessive parts

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Action-Not Available
Vendor-Debian GNU/LinuxThe Apache Software Foundation
Product-debian_linuxcommons_fileuploadApache TomcatApache Commons FileUpload
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2021-35517
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-10.90% / 95.33%
||
7 Day CHG~0.00%
Published-13 Jul, 2021 | 07:15
Updated-04 Aug, 2024 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Commons Compress 1.1 to 1.20 denial of service vulnerability

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Action-Not Available
Vendor-NetApp, Inc.The Apache Software FoundationOracle Corporation
Product-healthcare_data_repositorypeoplesoft_enterprise_peopletoolsprimavera_unifiercommunications_cloud_native_core_service_communication_proxybanking_digital_experiencecommunications_billing_and_revenue_managementutilities_testing_acceleratoroncommand_insightcommunications_messaging_serverfinancial_services_crime_and_compliance_management_studiocommunications_session_route_manageractive_iq_unified_managerfinancial_services_enterprise_case_managementbanking_party_managementbanking_trade_financecommunications_diameter_intelligence_hubbanking_apisbanking_enterprise_default_managementbanking_paymentscommunications_cloud_native_core_unified_data_repositoryflexcube_universal_bankingcommons_compressinsurance_policy_administrationcommerce_guided_searchbanking_treasury_managementwebcenter_portalbusiness_process_management_suiteApache Commons Compress
CWE ID-CWE-130
Improper Handling of Length Parameter Inconsistency
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2021-30468
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-7.02% / 93.39%
||
7 Day CHG~0.00%
Published-16 Jun, 2021 | 12:00
Updated-03 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.

Action-Not Available
Vendor-The Apache Software FoundationOracle Corporation
Product-communications_messaging_servertomeebusiness_intelligencecxfcommunications_element_managerApache CXF
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2022-35724
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.55% / 72.09%
||
7 Day CHG~0.00%
Published-09 Aug, 2022 | 06:50
Updated-03 Aug, 2024 | 09:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service while reading data in Avro Rust SDK

It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-avroApache Avro
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2022-34917
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.25% / 65.77%
||
7 Day CHG+0.03%
Published-20 Sep, 2022 | 08:35
Updated-29 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated clients may cause OutOfMemoryError on Apache Kafka Brokers

A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.

Action-Not Available
Vendor-The Apache Software Foundation
Product-kafkaApache Kafka
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CVE-2024-45626
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.74% / 50.17%
||
7 Day CHG~0.00%
Published-06 Feb, 2025 | 11:21
Updated-12 Feb, 2025 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache James: denial of service through JMAP HTML to text conversion

Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-james_serverApache James server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-29885
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-71.65% / 99.34%
||
7 Day CHG~0.00%
Published-12 May, 2022 | 00:00
Updated-03 Aug, 2024 | 06:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EncryptInterceptor does not provide complete protection on insecure networks

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Action-Not Available
Vendor-The Apache Software FoundationDebian GNU/LinuxOracle Corporation
Product-hospitality_cruise_shipboard_property_management_systemdebian_linuxtomcatApache Tomcat
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-53506
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.90% / 77.13%
||
7 Day CHG~0.00%
Published-10 Jul, 2025 | 19:14
Updated-04 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tomcat: DoS via excessive h2 streams at connection start

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-tomcatApache Tomcat
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2020-9494
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-3.91% / 89.01%
||
7 Day CHG~0.00%
Published-24 Jun, 2020 | 15:25
Updated-04 Aug, 2024 | 10:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.

Action-Not Available
Vendor-The Apache Software FoundationDebian GNU/Linux
Product-debian_linuxtraffic_serverApache Traffic Server
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-37358
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-8.6||HIGH
EPSS-0.80% / 52.17%
||
7 Day CHG~0.00%
Published-06 Feb, 2025 | 11:22
Updated-29 Sep, 2025 | 21:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache James: denial of service through the use of IMAP literals

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

Action-Not Available
Vendor-The Apache Software Foundation
Product-james_serverApache James server
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-38286
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-8.6||HIGH
EPSS-1.70% / 74.41%
||
7 Day CHG~0.00%
Published-07 Nov, 2024 | 07:37
Updated-03 Nov, 2025 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tomcat: Denial of Service

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Action-Not Available
Vendor-NetApp, Inc.The Apache Software Foundation
Product-tomcatontap_toolsApache Tomcattomcat
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-43766
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.34% / 67.87%
||
7 Day CHG~0.00%
Published-26 Oct, 2022 | 00:00
Updated-07 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache IoTDB prior to 0.13.3 allows DoS

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it.

Action-Not Available
Vendor-The Apache Software Foundation
Product-iotdbApache IoTDB
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2017-15701
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-4.39% / 90.12%
||
7 Day CHG~0.00%
Published-01 Dec, 2017 | 15:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the broker does not properly enforce a maximum frame size in AMQP 1.0 frames. A remote unauthenticated attacker could exploit this to cause the broker to exhaust all available memory and eventually terminate. Older AMQP protocols are not affected.

Action-Not Available
Vendor-The Apache Software Foundation
Product-qpid_broker-jApache Qpid Broker-J
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-54472
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.20% / 64.37%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 09:05
Updated-04 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache bRPC: Redis Parser Remote Denial of Service

Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network. Root Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it. The bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the 1.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version < 1.14.0. Affected scenarios: Using bRPC as a Redis server to provide network services to untrusted clients, or using bRPC as a Redis client to call untrusted Redis services. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.14.1. 2. Apply this patch ( https://github.com/apache/brpc/pull/3050 ) manually. No matter you choose which method, you should note that the patch limits the maximum length of memory allocated for each time in the bRPC Redis parser. The default limit is 64M. If some of you redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag redis_max_allocation_size to set a larger limit.

Action-Not Available
Vendor-The Apache Software Foundation
Product-brpcApache bRPC
CWE ID-CWE-190
Integer Overflow or Wraparound
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-36124
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.28% / 66.40%
||
7 Day CHG~0.00%
Published-09 Aug, 2022 | 06:50
Updated-23 Jun, 2026 | 14:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory overconsumption in Avro Rust SDK

It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-avroApache Avro
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-34750
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-4.60% / 90.52%
||
7 Day CHG~0.00%
Published-03 Jul, 2024 | 19:32
Updated-03 Nov, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tomcat: HTTP/2 excess header handling DoS

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Action-Not Available
Vendor-NetApp, Inc.The Apache Software Foundation
Product-tomcatontap_toolsApache Tomcattomcat
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-755
Improper Handling of Exceptional Conditions
CVE-2021-33580
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-3.30% / 87.01%
||
7 Day CHG~0.00%
Published-18 Aug, 2021 | 07:50
Updated-03 Aug, 2024 | 23:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
regex injection leading to DoS

User controlled `request.getHeader("Referer")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. The attacker doesn't have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2.

Action-Not Available
Vendor-The Apache Software Foundation
Product-rollerApache Roller
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2021-22696
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-6.59% / 93.02%
||
7 Day CHG~0.00%
Published-02 Apr, 2021 | 10:05
Updated-13 Feb, 2025 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OAuth 2 authorization service vulnerable to DDos attacks

CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

Action-Not Available
Vendor-Oracle CorporationThe Apache Software Foundation
Product-communications_diameter_intelligence_hubcommunications_session_route_managerbusiness_intelligencecommunications_session_report_managercxfcommunications_element_managerApache CXF
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-42403
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.76% / 50.87%
||
7 Day CHG~0.00%
Published-01 May, 2026 | 08:38
Updated-01 May, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Neethi: Circular Policy Reference Infinite Loop

Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-neethiApache Neethi
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-39304
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.90% / 55.14%
||
7 Day CHG+0.21%
Published-10 Apr, 2026 | 10:54
Updated-30 Jun, 2026 | 03:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS. Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.

Action-Not Available
Vendor-The Apache Software FoundationRed Hat, Inc.
Product-activemqactivemq_brokerApache ActiveMQ AllApache ActiveMQApache ActiveMQ ClientApache ActiveMQ BrokerRed Hat AMQ Broker 7Red Hat Data Grid 8Red Hat JBoss Enterprise Application Platform 7Red Hat Enterprise Linux 9Red Hat build of Apache Camel for Spring Boot 4Red Hat Enterprise Linux 8Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-32007
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.27% / 66.24%
||
7 Day CHG~0.00%
Published-19 Jul, 2024 | 08:50
Updated-13 Sep, 2024 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CXF Denial of Service vulnerability in JOSE

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token. 

Action-Not Available
Vendor-The Apache Software Foundation
Product-cxfApache CXFcxf
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-20
Improper Input Validation
CVE-2022-30522
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-90.41% / 99.79%
||
7 Day CHG~0.00%
Published-08 Jun, 2022 | 10:00
Updated-03 Aug, 2024 | 06:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mod_sed denial of service

If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.

Action-Not Available
Vendor-NetApp, Inc.The Apache Software FoundationFedora Project
Product-http_serverclustered_data_ontapfedoraApache HTTP Server
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-29404
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-5.68% / 92.05%
||
7 Day CHG~0.00%
Published-08 Jun, 2022 | 10:00
Updated-03 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service in mod_lua r:parsebody

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.

Action-Not Available
Vendor-NetApp, Inc.The Apache Software FoundationFedora Project
Product-http_serverclustered_data_ontapfedoraApache HTTP Server
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-24294
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-1.59% / 72.75%
||
7 Day CHG+0.03%
Published-24 Jul, 2022 | 17:45
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ReDoS in Apache MXNet RTC Module

A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1.

Action-Not Available
Vendor-The Apache Software Foundation
Product-mxnetApache MXNet
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2021-35516
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-12.70% / 95.78%
||
7 Day CHG~0.00%
Published-13 Jul, 2021 | 07:15
Updated-04 Aug, 2024 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Commons Compress 1.6 to 1.20 denial of service vulnerability

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Action-Not Available
Vendor-NetApp, Inc.The Apache Software FoundationOracle Corporation
Product-healthcare_data_repositorypeoplesoft_enterprise_peopletoolsprimavera_unifiercommunications_cloud_native_core_automated_test_suitecommunications_cloud_native_core_service_communication_proxybanking_digital_experiencecommunications_billing_and_revenue_managementoncommand_insightutilities_testing_acceleratorcommunications_messaging_serverfinancial_services_crime_and_compliance_management_studiocommunications_session_route_manageractive_iq_unified_managerfinancial_services_enterprise_case_managementbanking_party_managementcommunications_diameter_intelligence_hubbanking_enterprise_default_managementcommunications_cloud_native_core_unified_data_repositoryflexcube_universal_bankingcommons_compressinsurance_policy_administrationcommerce_guided_searchwebcenter_portalbusiness_process_management_suiteApache Commons Compress
CWE ID-CWE-130
Improper Handling of Length Parameter Inconsistency
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-49763
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.63% / 45.88%
||
7 Day CHG~0.00%
Published-19 Jun, 2025 | 10:07
Updated-01 Jul, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Traffic Server: Remote DoS via memory exhaustion in ESI Plugin

ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-traffic_serverApache Traffic Server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-48988
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-53.23% / 98.85%
||
7 Day CHG~0.00%
Published-16 Jun, 2025 | 14:13
Updated-03 Nov, 2025 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tomcat: FileUpload large number of parts with headers DoS

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-tomcatApache Tomcat
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-48976
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-63.26% / 99.11%
||
7 Day CHG~0.00%
Published-16 Jun, 2025 | 15:00
Updated-03 Nov, 2025 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-commons_fileuploadApache Commons FileUpload
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-48392
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.56% / 42.63%
||
7 Day CHG~0.00%
Published-24 Sep, 2025 | 07:59
Updated-04 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache IoTDB: DoS Vulnerability

A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Users are recommended to upgrade to version 2.0.5, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-iotdbApache IoTDB
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-27316
Matching Score-10
Assigner-Apache Software Foundation
ShareView Details
Matching Score-10
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-91.33% / 99.80%
||
7 Day CHG~0.00%
Published-04 Apr, 2024 | 19:21
Updated-04 Nov, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Action-Not Available
Vendor-Fedora ProjectNetApp, Inc.The Apache Software Foundation
Product-fedoraontaphttp_serverApache HTTP Serverhttp_server
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-53917
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.52% / 40.57%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 09:49
Updated-02 Jul, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker: Unbounded memory allocation in OpenWire property unmarshalling

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker. An authenticated user can cause a broker DoS by sending a crafted OpenWire Message with a large encoded size value for the map. OpenWire message property maps are unmarshaled without size validation which can trigger OOM and crash the broker. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-activemq_brokeractivemqApache ActiveMQ AllApache ActiveMQApache ActiveMQ ClientApache ActiveMQ Broker
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CVE-2026-53916
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.52% / 40.57%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 09:49
Updated-02 Jul, 2026 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: Unbounded header buffer in STOMP NIO codec

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. An unauthenticated client that opens a STOMP NIO connection can send header bytes that never terminate which makes the broker buffer them without limit, exhausting the JVM heap. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-activemqApache ActiveMQ StompApache ActiveMQ AllApache ActiveMQ
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CVE-2026-49432
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.52% / 40.57%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 09:54
Updated-02 Jul, 2026 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: STOMP negative content-length enables denial of service

Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-activemqApache ActiveMQ StompApache ActiveMQ AllApache ActiveMQ
CWE ID-CWE-20
Improper Input Validation
CVE-2022-26650
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-2.43% / 82.27%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 08:05
Updated-03 Aug, 2024 | 05:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache ShenYu (incubating) Regular expression denial of service

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.

Action-Not Available
Vendor-The Apache Software Foundation
Product-shenyuApache ShenYu (incubating)
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CVE-2026-43868
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-5.3||MEDIUM
EPSS-0.66% / 47.24%
||
7 Day CHG+0.29%
Published-05 May, 2026 | 07:49
Updated-02 Jul, 2026 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern

Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Action-Not Available
Vendor-Red Hat, Inc.The Apache Software Foundation
Product-thriftApache ThriftRed Hat Data Grid 8Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1Red Hat Fuse 7Red Hat build of Apache Camel 4 for Quarkus 3Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat OpenShift AI (RHOAI)
CWE ID-CWE-1285
Improper Validation of Specified Index, Position, or Offset in Input
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CVE-2025-31650
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-66.93% / 99.20%
||
7 Day CHG+0.57%
Published-28 Apr, 2025 | 19:14
Updated-03 Nov, 2025 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-tomcatApache Tomcat
CWE ID-CWE-459
Incomplete Cleanup
CVE-2026-49975
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-11.47% / 95.48%
||
7 Day CHG+1.12%
Published-08 Jun, 2026 | 15:26
Updated-30 Jun, 2026 | 03:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache HTTP Server: mod_http2 denial of service

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

Action-Not Available
Vendor-F5, Inc.The Apache Software FoundationDebian GNU/LinuxRed Hat, Inc.
Product-http_serverdebian_linuxApache HTTP ServerRed Hat JBoss Web Server 5Red Hat JBoss Core Services on RHEL 7 ServerRed Hat JBoss Core Services on RHEL 8Red Hat Enterprise Linux AppStream (v. 9)Red Hat Hardened ImagesRed Hat JBoss Core ServicesRed Hat JBoss Core Services 2.4.62.SP4Red Hat OpenShift Service Mesh 2.6Red Hat Enterprise Linux AppStream (v. 8)Red Hat Enterprise Linux AppStream (v. 10)
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 42
  • 43
  • Next
Details not found