Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-56150

Summary
Assigner-elastic
Assigner Org ID-271b6943-45a9-4f3a-ab4e-976f3fa05b5a
Published At-01 Jul, 2026 | 16:26
Updated At-01 Jul, 2026 | 17:25
Rejected At-
Credits

Allocation of Resources Without Limits or Throttling in Fleet Server Leading to Denial of Service

Allocation of Resources Without Limits or Throttling (CWE-770) in Fleet Server can lead to a denial of service via Excessive Allocation (CAPEC-130). An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server unavailable.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:elastic
Assigner Org ID:271b6943-45a9-4f3a-ab4e-976f3fa05b5a
Published At:01 Jul, 2026 | 16:26
Updated At:01 Jul, 2026 | 17:25
Rejected At:
▼CVE Numbering Authority (CNA)
Allocation of Resources Without Limits or Throttling in Fleet Server Leading to Denial of Service

Allocation of Resources Without Limits or Throttling (CWE-770) in Fleet Server can lead to a denial of service via Excessive Allocation (CAPEC-130). An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server unavailable.

Affected Products
Vendor
Elasticsearch BVElastic
Product
Fleet Server
Default Status
unaffected
Versions
Affected
  • From 9.0.0 through 9.2.4 (semver)
  • From 8.0.0 through 8.19.10 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770 Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-770
Description: CWE-770 Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-130CAPEC-130 Excessive Allocation
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://discuss.elastic.co/t/fleet-server-8-19-11-9-2-5-9-3-0-security-update-esa-2026-44
N/A
Hyperlink: https://discuss.elastic.co/t/fleet-server-8-19-11-9-2-5-9-3-0-security-update-esa-2026-44
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@elastic.co
Published At:01 Jul, 2026 | 17:16
Updated At:01 Jul, 2026 | 18:16

Allocation of Resources Without Limits or Throttling (CWE-770) in Fleet Server can lead to a denial of service via Excessive Allocation (CAPEC-130). An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server unavailable.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-770Secondarysecurity@elastic.co
CWE ID: CWE-770
Type: Secondary
Source: security@elastic.co
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://discuss.elastic.co/t/fleet-server-8-19-11-9-2-5-9-3-0-security-update-esa-2026-44security@elastic.co
N/A
Hyperlink: https://discuss.elastic.co/t/fleet-server-8-19-11-9-2-5-9-3-0-security-update-esa-2026-44
Source: security@elastic.co
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

294Records found

CVE-2026-49087
Matching Score-10
Assigner-Elastic
ShareView Details
Matching Score-10
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 16.39%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 16:35
Updated-02 Jul, 2026 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of Resources Without Limits or Throttling in Kibana Leading to Denial of Service

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk deletion request that causes excessive resource consumption, which may render Kibana unavailable.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-52973
Matching Score-10
Assigner-Elastic
ShareView Details
Matching Score-10
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.36% / 28.23%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 11:04
Updated-30 Sep, 2025 | 21:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kibana allocation of resources without limits or throttling leads to crash

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in Kibana.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-52972
Matching Score-10
Assigner-Elastic
ShareView Details
Matching Score-10
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 29.02%
||
7 Day CHG~0.00%
Published-23 Jan, 2025 | 06:11
Updated-30 Sep, 2025 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kibana allocation of resources without limits or throttling leads to crash

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-43709
Matching Score-10
Assigner-Elastic
ShareView Details
Matching Score-10
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.60% / 44.62%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 11:00
Updated-21 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elasticsearch allocation of resources without limits or throttling leads to crash

An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function.

Action-Not Available
Vendor-Elasticsearch BV
Product-elasticsearchElasticsearch
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-43708
Matching Score-10
Assigner-Elastic
ShareView Details
Matching Score-10
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 29.02%
||
7 Day CHG~0.00%
Published-23 Jan, 2025 | 10:27
Updated-30 Sep, 2025 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-0543
Matching Score-10
Assigner-Elastic
ShareView Details
Matching Score-10
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 29.32%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 21:10
Updated-22 Jan, 2026 | 20:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Input Validation in Kibana Email Connector Leading to Excessive Allocation

Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-0531
Matching Score-10
Assigner-Elastic
ShareView Details
Matching Score-10
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.42% / 33.74%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 21:05
Updated-22 Jan, 2026 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of Resources Without Limits or Throttling in Kibana Fleet

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-0530
Matching Score-10
Assigner-Elastic
ShareView Details
Matching Score-10
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 19.27%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 21:03
Updated-22 Jan, 2026 | 19:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of Resources Without Limits or Throttling in Kibana Leading to Excessive Allocation

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-68384
Matching Score-10
Assigner-Elastic
ShareView Details
Matching Score-10
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 20.00%
||
7 Day CHG+0.01%
Published-18 Dec, 2025 | 22:04
Updated-23 Dec, 2025 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elasticsearch Allocation of Resources Without Limits or Throttling

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.

Action-Not Available
Vendor-Elasticsearch BV
Product-elasticsearchElasticsearch
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-68389
Matching Score-10
Assigner-Elastic
ShareView Details
Matching Score-10
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 20.13%
||
7 Day CHG+0.01%
Published-18 Dec, 2025 | 22:14
Updated-23 Dec, 2025 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kibana Allocation of Resources Without Limits or Throttling

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-46673
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.84% / 53.86%
||
7 Day CHG~0.00%
Published-22 Nov, 2023 | 09:27
Updated-02 Aug, 2024 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was identified that malformed scripts used in the script processor of an Ingest Pipeline could cause an Elasticsearch node to crash when calling the Simulate Pipeline API.

Action-Not Available
Vendor-Elasticsearch BV
Product-elasticsearchElasticsearch
CWE ID-CWE-755
Improper Handling of Exceptional Conditions
CVE-2026-56148
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.35% / 26.92%
||
7 Day CHG+0.04%
Published-01 Jul, 2026 | 16:17
Updated-01 Jul, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Recursion in Elasticsearch Leading to Denial of Service

Uncontrolled Recursion (CWE-674) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted query that causes excessive resource consumption while the request is processed, which may render the affected node unavailable.

Action-Not Available
Vendor-Elasticsearch BV
Product-Elasticsearch
CWE ID-CWE-674
Uncontrolled Recursion
CVE-2026-56151
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 20.14%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 16:29
Updated-02 Jul, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Input Validation in Kibana Leading to Denial of Service

Improper Input Validation (CWE-20) in Kibana can lead to a denial of service via Input Data Manipulation (CAPEC-153). An authenticated user can submit a specially crafted Fleet policy input that is not correctly validated, which can render Fleet agent, server, and policy management functionality unavailable.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-20
Improper Input Validation
CVE-2026-49090
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 16.39%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 17:15
Updated-02 Jul, 2026 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in Elasticsearch Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests.

Action-Not Available
Vendor-Elasticsearch BV
Product-elasticsearchElasticsearch
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-49094
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 18.75%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 19:49
Updated-01 Jun, 2026 | 13:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU and memory resources while processing the request. This results in Kibana becoming unavailable to all users until the service is manually recovered.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-52980
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.50% / 39.63%
||
7 Day CHG~0.00%
Published-08 Apr, 2025 | 16:43
Updated-30 Sep, 2025 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elasticsearch Uncontrolled Resource Consumption vulnerability

A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash. A successful attack requires a malicious user to have read_pipeline Elasticsearch cluster privilege assigned to them.

Action-Not Available
Vendor-Elasticsearch BV
Product-elasticsearchElasticsearch
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-42399
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.30% / 21.55%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 19:44
Updated-01 Jun, 2026 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-31419
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-60.68% / 99.05%
||
7 Day CHG~0.00%
Published-26 Oct, 2023 | 17:06
Updated-13 Feb, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elasticsearch StackOverflow vulnerability

A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service.

Action-Not Available
Vendor-Elasticsearch BV
Product-elasticsearchElasticsearch
CWE ID-CWE-121
Stack-based Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CVE-2021-22139
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-1.00% / 58.86%
||
7 Day CHG~0.00%
Published-13 May, 2021 | 17:35
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-38778
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.88% / 55.05%
||
7 Day CHG~0.00%
Published-08 Feb, 2023 | 00:00
Updated-25 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw (CVE-2022-38900) was discovered in one of Kibana’s third party dependencies, that could allow an authenticated user to perform a request that crashes the Kibana server process.

Action-Not Available
Vendor-decode-uri-component_projectElasticsearch BV
Product-decode-uri-componentkibanakibana
CWE ID-CWE-20
Improper Input Validation
CVE-2024-52974
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 29.35%
||
7 Day CHG~0.00%
Published-08 Apr, 2025 | 16:46
Updated-30 Sep, 2025 | 21:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-52979
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.52% / 40.84%
||
7 Day CHG~0.00%
Published-01 May, 2025 | 13:13
Updated-02 Oct, 2025 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elasticsearch Uncontrolled Resource Consumption vulnerability

Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash.

Action-Not Available
Vendor-Elasticsearch BV
Product-elasticsearchElasticsearch
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-42400
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.30% / 21.55%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 19:42
Updated-01 Jun, 2026 | 14:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumption that can result in a Kibana instance becoming unresponsive or crashing.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-37281
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.41% / 33.52%
||
7 Day CHG~0.00%
Published-30 Jul, 2024 | 21:45
Updated-29 Sep, 2025 | 14:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kibana Denial of Service issue

An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-33459
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 15.05%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 16:46
Updated-13 Apr, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-33464
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 15.69%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 19:35
Updated-29 May, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-26934
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 19.45%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 17:03
Updated-02 Mar, 2026 | 15:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service

Improper Validation of Specified Quantity in Input (CWE-1284) in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted, malformed payload causing excessive resource consumption and resulting in Kibana becoming unresponsive or crashing.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CVE-2026-26935
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 19.77%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 17:05
Updated-02 Mar, 2026 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Input Validation in Kibana Leading to Denial of Service

Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-20
Improper Input Validation
CVE-2026-26940
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 18.75%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 17:14
Updated-23 Mar, 2026 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service

Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-1284
Improper Validation of Specified Quantity in Input
CVE-2026-26937
Matching Score-8
Assigner-Elastic
ShareView Details
Matching Score-8
Assigner-Elastic
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 19.13%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 17:51
Updated-02 Mar, 2026 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in the Timelion component in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153)

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-56149
Matching Score-6
Assigner-Elastic
ShareView Details
Matching Score-6
Assigner-Elastic
CVSS Score-4.9||MEDIUM
EPSS-0.32% / 24.49%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 16:21
Updated-01 Jul, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of Resources Without Limits or Throttling in Elasticsearch Leading to Denial of Service

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). A user with elevated privileges can submit a specially crafted machine learning request that causes excessive memory consumption, which may render the affected node unavailable.

Action-Not Available
Vendor-Elasticsearch BV
Product-Elasticsearch
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-68388
Matching Score-6
Assigner-Elastic
ShareView Details
Matching Score-6
Assigner-Elastic
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 23.48%
||
7 Day CHG+0.01%
Published-18 Dec, 2025 | 21:33
Updated-23 Dec, 2025 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration of malicious IPv4 fragments, leading to a degradation in Packetbeat.

Action-Not Available
Vendor-Elasticsearch BV
Product-packetbeatPacketbeat
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-68390
Matching Score-6
Assigner-Elastic
ShareView Details
Matching Score-6
Assigner-Elastic
CVSS Score-4.9||MEDIUM
EPSS-0.34% / 25.69%
||
7 Day CHG+0.01%
Published-18 Dec, 2025 | 22:17
Updated-23 Dec, 2025 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elasticsearch Allocation of Resources Without Limits or Throttling

Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.

Action-Not Available
Vendor-Elasticsearch BV
Product-elasticsearchElasticsearch
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-57708
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-2.3||LOW
EPSS-0.45% / 36.22%
||
7 Day CHG~0.00%
Published-11 Feb, 2026 | 12:17
Updated-12 Feb, 2026 | 14:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-6509
Matching Score-4
Assigner-Axis Communications AB
ShareView Details
Matching Score-4
Assigner-Axis Communications AB
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 31.40%
||
7 Day CHG~0.00%
Published-10 Sep, 2024 | 04:58
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Action-Not Available
Vendor-Axis Communications AB
Product-AXIS OS
CWE ID-CWE-155
Improper Neutralization of Wildcards or Matching Symbols
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-3566
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.5||LOW
EPSS-1.37% / 68.75%
||
7 Day CHG~0.00%
Published-08 Jul, 2023 | 17:31
Updated-02 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wallabag Profile Config config allocation of resources

A vulnerability was found in wallabag 2.5.4. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /config of the component Profile Config. The manipulation of the argument Name leads to allocation of resources. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-233359. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-wallabagn/a
Product-wallabagwallabag
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-55670
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-7.1||HIGH
EPSS-0.29% / 20.52%
||
7 Day CHG~0.00%
Published-15 Oct, 2025 | 13:55
Updated-26 Feb, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BIG-IP Next (CNF, SPK, and Kubernetes) vulnerability

On BIG-IP Next CNF, BIG-IP Next SPK, and BIG-IP Next for Kubernetes systems, repeated undisclosed API calls can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-F5, Inc.
Product-big-ip_next_for_kubernetesbig-ip_next_service_proxy_for_kubernetesbig-ip_next_cloud-native_network_functionsBIG-IP Next CNFBIG-IP Next SPKBIG-IP Next for Kubernetes
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-53410
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.45% / 36.50%
||
7 Day CHG~0.00%
Published-07 Nov, 2025 | 15:14
Updated-14 Nov, 2025 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Station 5

An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-file_stationFile Station 5
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-53409
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.45% / 36.50%
||
7 Day CHG~0.00%
Published-07 Nov, 2025 | 15:14
Updated-14 Nov, 2025 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Station 5

An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-file_stationFile Station 5
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-34149
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-4.3||MEDIUM
EPSS-5.40% / 91.79%
||
7 Day CHG~0.00%
Published-14 Jun, 2023 | 07:48
Updated-13 Feb, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Struts: DoS via OOM owing to not properly checking of list bounds

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.

Action-Not Available
Vendor-The Apache Software Foundation
Product-strutsApache Struts
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-34389
Matching Score-4
Assigner-Schweitzer Engineering Laboratories, Inc.
ShareView Details
Matching Score-4
Assigner-Schweitzer Engineering Laboratories, Inc.
CVSS Score-4.5||MEDIUM
EPSS-0.66% / 47.63%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 16:54
Updated-02 Dec, 2024 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of resources without limits could lead to denial of service

An allocation of resources without limits or throttling vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote authenticated attacker to make the system unavailable for an indefinite amount of time. See product Instruction Manual Appendix A dated 20230830 for more details.

Action-Not Available
Vendor-Schweitzer Engineering Laboratories, Inc. (SEL)
Product-sel-451sel-451_firmwareSEL-451
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-29770
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.42% / 34.17%
||
7 Day CHG~0.00%
Published-19 Mar, 2025 | 15:31
Updated-31 Jul, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vLLM denial of service via outlines unbounded cache on disk

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. The outlines library is one of the backends used by vLLM to support structured output (a.k.a. guided decoding). Outlines provides an optional cache for its compiled grammars on the local filesystem. This cache has been on by default in vLLM. Outlines is also available by default through the OpenAI compatible API server. The affected code in vLLM is vllm/model_executor/guided_decoding/outlines_logits_processors.py, which unconditionally uses the cache from outlines. A malicious user can send a stream of very short decoding requests with unique schemas, resulting in an addition to the cache for each request. This can result in a Denial of Service if the filesystem runs out of space. Note that even if vLLM was configured to use a different backend by default, it is still possible to choose outlines on a per-request basis using the guided_decoding_backend key of the extra_body field of the request. This issue applies only to the V0 engine and is fixed in 0.8.0.

Action-Not Available
Vendor-vllmvllm-project
Product-vllmvllm
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-32481
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-4.9||MEDIUM
EPSS-0.50% / 39.35%
||
7 Day CHG~0.00%
Published-20 Jul, 2023 | 11:26
Updated-17 Oct, 2024 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Wyse Management Suite versions prior to 4.0 contain a denial-of-service vulnerability. An authenticated malicious user can flood the configured SMTP server with numerous requests in order to deny access to the system.

Action-Not Available
Vendor-Dell Inc.
Product-wyse_management_suiteWyse Management Suite
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-32699
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.59% / 44.15%
||
7 Day CHG~0.00%
Published-30 May, 2023 | 18:59
Updated-10 Jan, 2025 | 16:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MeterSphere denial of service vulnerability

MeterSphere is an open source continuous testing platform. Version 2.9.1 and prior are vulnerable to denial of service. ​The `checkUserPassword` method is used to check whether the password provided by the user matches the password saved in the database, and the `CodingUtil.md5` method is used to encrypt the original password with MD5 to ensure that the password will not be saved in plain text when it is stored. If a user submits a very long password when logging in, the system will be forced to execute the long password MD5 encryption process, causing the server CPU and memory to be exhausted, thereby causing a denial of service attack on the server. This issue is fixed in version 2.10.0-lts with a maximum password length.

Action-Not Available
Vendor-MeterSphere (FIT2CLOUD Inc.)
Product-meterspheremetersphere
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-2853
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.41% / 33.13%
||
7 Day CHG~0.00%
Published-22 May, 2025 | 13:30
Updated-29 May, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of proper validation in GitLab could allow an authenticated user to cause a denial of service condition.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-52867
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-6||MEDIUM
EPSS-0.39% / 30.96%
||
7 Day CHG~0.00%
Published-03 Oct, 2025 | 18:14
Updated-08 Oct, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qsync Central

An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qsync_centralQsync Central
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-5253
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 31.34%
||
7 Day CHG~0.00%
Published-25 Jul, 2025 | 11:27
Updated-05 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DoS in Kron Technologies' Kron PAM

Allocation of Resources Without Limits or Throttling vulnerability in Kron Technologies Kron PAM allows HTTP DoS. This issue affects Kron PAM: before 3.7.

Action-Not Available
Vendor-Kron Technologies
Product-Kron PAM
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-30443
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.48% / 38.09%
||
7 Day CHG+0.01%
Published-19 Dec, 2024 | 01:04
Updated-31 Jan, 2025 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Db2 denial of service

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted query.

Action-Not Available
Vendor-Microsoft CorporationHP Inc.IBM CorporationLinux Kernel Organization, IncOracle Corporation
Product-hp-uxwindowssolarisaixlinux_kerneldb2Db2 for Linux, UNIX and Windows
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-50172
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.40% / 69.38%
||
7 Day CHG+0.09%
Published-12 Aug, 2025 | 17:10
Updated-13 Feb, 2026 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DirectX Graphics Kernel Denial of Service Vulnerability

Allocation of resources without limits or throttling in Windows DirectX allows an authorized attacker to deny service over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_23h2windows_10_22h2windows_server_2019windows_server_2022windows_server_2022_23h2windows_10_1809windows_10_21h2windows_server_2025windows_11_24h2windows_11_22h2Windows Server 2025Windows Server 2022Windows 11 Version 24H2Windows Server 2025 (Server Core installation)Windows 11 Version 23H2Windows Server 2019 (Server Core installation)Windows 10 Version 1809Windows 11 version 22H2Windows 10 Version 21H2Windows Server 2022, 23H2 Edition (Server Core installation)Windows 11 version 22H3Windows 10 Version 22H2Windows Server 2019
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-27492
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.69% / 48.52%
||
7 Day CHG~0.00%
Published-04 Apr, 2023 | 18:34
Updated-11 Feb, 2025 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Envoy may crash when a large request body is processed in Lua filter

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter is vulnerable to denial of service. Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. As of versions versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, Envoy no longer invokes the Lua coroutine if the filter has been reset. As a workaround for those whose Lua filter is buffering all requests/ responses, mitigate by using the buffer filter to avoid triggering the local reply in the Lua filter.

Action-Not Available
Vendor-envoyproxyenvoyproxy
Product-envoyenvoy
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found