Monthly
Unbounded recursion in Symfony's YAML component (`symfony/yaml`) crashes PHP worker processes when parsing attacker-controlled documents containing deeply nested mappings or sequences. Both the block-level parser (`Parser::parseBlock()`) and inline parsers (`Inline::parseSequence()`, `Inline::parseMapping()`) recurse without a depth ceiling, allowing a single crafted YAML document to exhaust the PHP call stack and kill the worker. All applications that pass untrusted input to `Yaml::parse()` or `Yaml::parseFile()` across symfony/yaml 5.4.x through 7.x are affected; no public exploit is identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Denial-of-service via uncontrolled recursion in the IBM i Integrated Language Environment (ILE) compiler affects versions 7.3, 7.4, 7.5 (≤12.1.4), and 7.6 (≤11.5.9). An authenticated network attacker can crash or hang the ILE compiler by submitting specially crafted source code containing a specific combination of statements that triggers infinite or deeply nested recursive processing. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low complexity and authenticated-only barrier makes this plausible for insider threat or compromised credential scenarios.
Uncontrolled recursion in PostCSS up to 7.1.1 allows remote attackers to trigger denial of service via crafted CSS input requiring user interaction. The vulnerability resides in the toString function of AST serialization logic (src/selectors/container.js). Publicly available exploit code exists (EPSS exploitation probability should be assessed). Vendor considers this low-risk since most users compile their own CSS rather than processing untrusted user-generated CSS, indicating limited real-world attack surface in typical deployment scenarios.
Denial of service in SQLFluff (Python SQL linter/parser) below version 4.1.0 allows remote attackers to exhaust server resources by submitting SQL queries with deliberately excessive nesting, triggering uncontrolled recursion in the parser. The flaw (CWE-674) affects any application that accepts untrusted SQL input for linting and carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/A:H); no public exploit identified at time of analysis and EPSS data was not provided.
Uncontrolled recursion in Samsung's Escargot JavaScript engine triggers excessive heap allocation, causing a denial-of-service condition with high availability impact. The vulnerability affects the specific commit 590345cc6258317c5da850d846ce6baaf2afc2d3 of the Escargot engine, which is deployed in Samsung smart TV and appliance firmware. No public exploit code exists and no active exploitation is confirmed by CISA KEV; however, the fix PR reveals multiple heap exhaustion and integer underflow scenarios addressable through crafted JavaScript inputs.
Uncontrolled recursion in Samsung's Escargot JavaScript engine crashes the runtime when processing oversized serialized data payloads, resulting in a high-severity availability impact. The vulnerability is confirmed at commit 590345cc6258317c5da850d846ce6baaf2afc2d3 of the Escargot engine, which is deployed in Samsung TV and appliance platforms. An attacker who can cause a local user to open or execute a crafted JavaScript payload can trigger a stack overflow, denying service to the affected application or device; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Stack overflow in the Magick.NET fx expression evaluator affects all Q16 and HDRI NuGet package variants prior to version 14.13.1. The root cause is a missing recursion depth check in the fx operation: a crafted argument can drive the evaluator into uncontrolled recursion, exhausting the call stack and crashing the host process. Impact is limited to availability (denial of service); no confidentiality or integrity exposure is present, and no public exploit or CISA KEV listing exists at time of analysis.
Stack exhaustion in MongoDB PHP driver allows remote denial of service when processing deeply nested BSON documents from untrusted sources. Unauthenticated attackers can crash applications by sending maliciously crafted BSON payloads with excessive nesting levels, affecting all versions of the PHP driver that parse BSON without depth limits. The vulnerability requires high attack complexity but results in complete availability loss.
Denial of service in PostgreSQL allows remote unauthenticated attackers to crash the database server via recursive SSL/GSS negotiation when connecting to AF_UNIX or TCP sockets (if SSL and GSS are both disabled). Affects all PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. No active exploitation confirmed (not in CISA KEV). Vendor-released patches available across all supported major versions. EPSS data not available, but CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates high availability impact with low barrier to exploitation.
Uncontrolled recursion in Apache Commons Configuration 2.2 through 2.14.x allows remote attackers to trigger a denial of service via StackOverflowError when processing YAML configuration files containing cyclic object references. The vulnerability affects any application using the library to parse untrusted YAML input without validation, with CVSS 5.3 (network-accessible, no authentication required) but exceptionally low exploitation probability (EPSS 0.02%, percentile 5%), indicating this is primarily a defensive hardening fix rather than an actively exploited threat.
Unbounded recursion in Symfony's YAML component (`symfony/yaml`) crashes PHP worker processes when parsing attacker-controlled documents containing deeply nested mappings or sequences. Both the block-level parser (`Parser::parseBlock()`) and inline parsers (`Inline::parseSequence()`, `Inline::parseMapping()`) recurse without a depth ceiling, allowing a single crafted YAML document to exhaust the PHP call stack and kill the worker. All applications that pass untrusted input to `Yaml::parse()` or `Yaml::parseFile()` across symfony/yaml 5.4.x through 7.x are affected; no public exploit is identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Denial-of-service via uncontrolled recursion in the IBM i Integrated Language Environment (ILE) compiler affects versions 7.3, 7.4, 7.5 (≤12.1.4), and 7.6 (≤11.5.9). An authenticated network attacker can crash or hang the ILE compiler by submitting specially crafted source code containing a specific combination of statements that triggers infinite or deeply nested recursive processing. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low complexity and authenticated-only barrier makes this plausible for insider threat or compromised credential scenarios.
Uncontrolled recursion in PostCSS up to 7.1.1 allows remote attackers to trigger denial of service via crafted CSS input requiring user interaction. The vulnerability resides in the toString function of AST serialization logic (src/selectors/container.js). Publicly available exploit code exists (EPSS exploitation probability should be assessed). Vendor considers this low-risk since most users compile their own CSS rather than processing untrusted user-generated CSS, indicating limited real-world attack surface in typical deployment scenarios.
Denial of service in SQLFluff (Python SQL linter/parser) below version 4.1.0 allows remote attackers to exhaust server resources by submitting SQL queries with deliberately excessive nesting, triggering uncontrolled recursion in the parser. The flaw (CWE-674) affects any application that accepts untrusted SQL input for linting and carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/A:H); no public exploit identified at time of analysis and EPSS data was not provided.
Uncontrolled recursion in Samsung's Escargot JavaScript engine triggers excessive heap allocation, causing a denial-of-service condition with high availability impact. The vulnerability affects the specific commit 590345cc6258317c5da850d846ce6baaf2afc2d3 of the Escargot engine, which is deployed in Samsung smart TV and appliance firmware. No public exploit code exists and no active exploitation is confirmed by CISA KEV; however, the fix PR reveals multiple heap exhaustion and integer underflow scenarios addressable through crafted JavaScript inputs.
Uncontrolled recursion in Samsung's Escargot JavaScript engine crashes the runtime when processing oversized serialized data payloads, resulting in a high-severity availability impact. The vulnerability is confirmed at commit 590345cc6258317c5da850d846ce6baaf2afc2d3 of the Escargot engine, which is deployed in Samsung TV and appliance platforms. An attacker who can cause a local user to open or execute a crafted JavaScript payload can trigger a stack overflow, denying service to the affected application or device; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Stack overflow in the Magick.NET fx expression evaluator affects all Q16 and HDRI NuGet package variants prior to version 14.13.1. The root cause is a missing recursion depth check in the fx operation: a crafted argument can drive the evaluator into uncontrolled recursion, exhausting the call stack and crashing the host process. Impact is limited to availability (denial of service); no confidentiality or integrity exposure is present, and no public exploit or CISA KEV listing exists at time of analysis.
Stack exhaustion in MongoDB PHP driver allows remote denial of service when processing deeply nested BSON documents from untrusted sources. Unauthenticated attackers can crash applications by sending maliciously crafted BSON payloads with excessive nesting levels, affecting all versions of the PHP driver that parse BSON without depth limits. The vulnerability requires high attack complexity but results in complete availability loss.
Denial of service in PostgreSQL allows remote unauthenticated attackers to crash the database server via recursive SSL/GSS negotiation when connecting to AF_UNIX or TCP sockets (if SSL and GSS are both disabled). Affects all PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. No active exploitation confirmed (not in CISA KEV). Vendor-released patches available across all supported major versions. EPSS data not available, but CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates high availability impact with low barrier to exploitation.
Uncontrolled recursion in Apache Commons Configuration 2.2 through 2.14.x allows remote attackers to trigger a denial of service via StackOverflowError when processing YAML configuration files containing cyclic object references. The vulnerability affects any application using the library to parse untrusted YAML input without validation, with CVSS 5.3 (network-accessible, no authentication required) but exceptionally low exploitation probability (EPSS 0.02%, percentile 5%), indicating this is primarily a defensive hardening fix rather than an actively exploited threat.