Monthly
Uncontrolled PCRE backtracking in Symfony's JsonPath component allows denial of service when attacker-influenced JSONPath expressions containing match() or search() filters are evaluated server-side. Affected applications that pass user-supplied JSONPath queries to JsonCrawler::find() can be made to execute catastrophically backtracking patterns such as '(a+)+$', pinning a CPU core for several seconds per request; a small number of concurrent requests can exhaust the entire PHP worker pool. The vulnerability is compounded by error suppression (@preg_match) that silences PCRE backtrack-limit exceptions, producing no log trace of the attack. No public exploit code and no CISA KEV listing are identified at time of analysis, but the advisory itself provides a working proof-of-concept pattern.
Uncontrolled resource consumption in PyJWT 2.8.0-2.12.1 exposes any service that verifies detached JWS tokens to unauthenticated denial-of-service. When the unencoded-payload extension (b64=false, RFC 7797) is in use, PyJWT unnecessarily Base64URL-decodes the compact-serialization payload segment before discarding it in favor of the caller-supplied detached payload - turning that segment into an attacker-controlled amplifier for CPU and memory exhaustion regardless of signature validity. No public exploit has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully unauthenticated remote exploitation against any affected endpoint using this feature.
Memory exhaustion in pypdf prior to 6.12.0 allows an attacker who supplies a crafted PDF to cause large memory consumption in any application that processes it using layout mode text extraction. The vulnerability is triggered by PDFs containing text positioning operators with abnormally large x- or y-coordinate offsets, causing the library to allocate unbounded whitespace and newline characters during rendering. No confirmed active exploitation exists (not in CISA KEV), and SSVC rates this as non-automatable with partial technical impact, placing it in a lower operational priority tier despite the straightforward exploitation mechanic.
{{ x | date: f }}` can generate multi-megabyte output or trigger an out-of-memory crash of the host Node.js process. Publicly available exploit code (a verified PoC) exists; there is no CISA KEV listing and no EPSS score in the provided data.
Denial of service in IBM Langflow OSS 1.0.0 through 1.9.0 lets a low-privileged, authenticated remote attacker drive uncontrolled resource consumption (CWE-400) to degrade or crash the service, with a high availability impact and a minor confidentiality exposure per the CVSS vector. The flaw is network-reachable, requires no user interaction, and needs only a low-privilege account. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was supplied.
Memory exhaustion in IBM Db2 11.5.x and 12.1.x allows an authenticated remote attacker to crash the database engine by submitting certain queries targeting Multi-Dimensional Clustering (MDC) tables, resulting in a denial of service. The vulnerability carries a CVSS 6.5 score with network-accessible attack vector and low-privilege requirement, meaning any valid database user can trigger it. No active exploitation has been identified at time of analysis; SSVC rates exploitation status as none and technical impact as partial.
Denial of service in IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 allows a locally authenticated, low-privileged user to crash the database service by executing a specially crafted SQL query against an instance configured with a small statement heap. The vulnerability stems from uncontrolled resource consumption (CWE-400) during query processing, resulting in high availability impact with no confidentiality or integrity exposure. No public exploit code and no active exploitation have been identified at time of analysis; SSVC classifies exploitation status as none.
Memory exhaustion in IBM WebSphere Application Server (Liberty 19.0.0.7-26.0.0.5, traditional WAS 8.5 and 9.0) allows an adjacent-network, low-privileged attacker to trigger uncontrolled memory consumption by sending a specially crafted request. The attack requires both network adjacency and high complexity conditions, constraining the realistic threat surface significantly compared to the High availability impact rating. No public exploit code exists and CISA SSVC rates exploitation as 'none' with technical impact classified as 'partial', placing this vulnerability in a lower operational priority tier despite the A:H component impact.
Uncontrolled resource consumption in the Simply Schedule Appointments WordPress plugin (all versions ≤ 1.6.11.5) enables unauthenticated remote attackers to exhaust PHP-FPM or mod_php worker processes, effectively rendering the WordPress site unavailable to legitimate users. The attack surface is a publicly accessible REST endpoint (/wp-json/ssa/v1/async) that directly passes a caller-controlled delay parameter into PHP's native sleep() function with no rate limiting or input sanitization. No public exploit code has been identified at time of analysis and EPSS is very low (0.05%, 15th percentile), suggesting limited opportunistic interest so far, though the trivially low attack complexity means any actor can attempt this with no tooling.
{% for %}` or `{% tablerow %}` tags with empty bodies, enabling any low-privileged template author to stall a Node.js event-loop thread for an attacker-controlled duration. Because Node.js is single-threaded, a stall of 2-10+ seconds on one worker blocks all concurrent in-flight HTTP requests on that process, making this a practical denial-of-service vector in SaaS and multi-tenant platforms. A public proof-of-concept is included in the GitHub Security Advisory (GHSA-8xx9-69p8-7jp3) and was reproduced against liquidjs@10.25.7; no patch has been released as of this analysis.
Uncontrolled PCRE backtracking in Symfony's JsonPath component allows denial of service when attacker-influenced JSONPath expressions containing match() or search() filters are evaluated server-side. Affected applications that pass user-supplied JSONPath queries to JsonCrawler::find() can be made to execute catastrophically backtracking patterns such as '(a+)+$', pinning a CPU core for several seconds per request; a small number of concurrent requests can exhaust the entire PHP worker pool. The vulnerability is compounded by error suppression (@preg_match) that silences PCRE backtrack-limit exceptions, producing no log trace of the attack. No public exploit code and no CISA KEV listing are identified at time of analysis, but the advisory itself provides a working proof-of-concept pattern.
Uncontrolled resource consumption in PyJWT 2.8.0-2.12.1 exposes any service that verifies detached JWS tokens to unauthenticated denial-of-service. When the unencoded-payload extension (b64=false, RFC 7797) is in use, PyJWT unnecessarily Base64URL-decodes the compact-serialization payload segment before discarding it in favor of the caller-supplied detached payload - turning that segment into an attacker-controlled amplifier for CPU and memory exhaustion regardless of signature validity. No public exploit has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully unauthenticated remote exploitation against any affected endpoint using this feature.
Memory exhaustion in pypdf prior to 6.12.0 allows an attacker who supplies a crafted PDF to cause large memory consumption in any application that processes it using layout mode text extraction. The vulnerability is triggered by PDFs containing text positioning operators with abnormally large x- or y-coordinate offsets, causing the library to allocate unbounded whitespace and newline characters during rendering. No confirmed active exploitation exists (not in CISA KEV), and SSVC rates this as non-automatable with partial technical impact, placing it in a lower operational priority tier despite the straightforward exploitation mechanic.
{{ x | date: f }}` can generate multi-megabyte output or trigger an out-of-memory crash of the host Node.js process. Publicly available exploit code (a verified PoC) exists; there is no CISA KEV listing and no EPSS score in the provided data.
Denial of service in IBM Langflow OSS 1.0.0 through 1.9.0 lets a low-privileged, authenticated remote attacker drive uncontrolled resource consumption (CWE-400) to degrade or crash the service, with a high availability impact and a minor confidentiality exposure per the CVSS vector. The flaw is network-reachable, requires no user interaction, and needs only a low-privilege account. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was supplied.
Memory exhaustion in IBM Db2 11.5.x and 12.1.x allows an authenticated remote attacker to crash the database engine by submitting certain queries targeting Multi-Dimensional Clustering (MDC) tables, resulting in a denial of service. The vulnerability carries a CVSS 6.5 score with network-accessible attack vector and low-privilege requirement, meaning any valid database user can trigger it. No active exploitation has been identified at time of analysis; SSVC rates exploitation status as none and technical impact as partial.
Denial of service in IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 allows a locally authenticated, low-privileged user to crash the database service by executing a specially crafted SQL query against an instance configured with a small statement heap. The vulnerability stems from uncontrolled resource consumption (CWE-400) during query processing, resulting in high availability impact with no confidentiality or integrity exposure. No public exploit code and no active exploitation have been identified at time of analysis; SSVC classifies exploitation status as none.
Memory exhaustion in IBM WebSphere Application Server (Liberty 19.0.0.7-26.0.0.5, traditional WAS 8.5 and 9.0) allows an adjacent-network, low-privileged attacker to trigger uncontrolled memory consumption by sending a specially crafted request. The attack requires both network adjacency and high complexity conditions, constraining the realistic threat surface significantly compared to the High availability impact rating. No public exploit code exists and CISA SSVC rates exploitation as 'none' with technical impact classified as 'partial', placing this vulnerability in a lower operational priority tier despite the A:H component impact.
Uncontrolled resource consumption in the Simply Schedule Appointments WordPress plugin (all versions ≤ 1.6.11.5) enables unauthenticated remote attackers to exhaust PHP-FPM or mod_php worker processes, effectively rendering the WordPress site unavailable to legitimate users. The attack surface is a publicly accessible REST endpoint (/wp-json/ssa/v1/async) that directly passes a caller-controlled delay parameter into PHP's native sleep() function with no rate limiting or input sanitization. No public exploit code has been identified at time of analysis and EPSS is very low (0.05%, 15th percentile), suggesting limited opportunistic interest so far, though the trivially low attack complexity means any actor can attempt this with no tooling.
{% for %}` or `{% tablerow %}` tags with empty bodies, enabling any low-privileged template author to stall a Node.js event-loop thread for an attacker-controlled duration. Because Node.js is single-threaded, a stall of 2-10+ seconds on one worker blocks all concurrent in-flight HTTP requests on that process, making this a practical denial-of-service vector in SaaS and multi-tenant platforms. A public proof-of-concept is included in the GitHub Security Advisory (GHSA-8xx9-69p8-7jp3) and was reproduced against liquidjs@10.25.7; no patch has been released as of this analysis.