Skip to main content

CWE-703

Improper Check or Handling of Exceptional Conditions

110 CVEs Avg CVSS 6.5 MITRE
5
CRITICAL
43
HIGH
55
MEDIUM
7
LOW
11
POC
0
KEV

Monthly

CVE-2026-20187 HIGH This Week

Denial of service in Cisco RoomOS software allows remote unauthenticated attackers to exhaust availability of affected collaboration endpoints and room-based video devices through improper handling of exceptional conditions (CWE-703). The issue was internally discovered by Cisco's RoomOS engineering team as part of a hardening release bundling multiple flaws under this identifier, carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), and has no public exploit identified at time of analysis. Note that the CVSS vector reflects availability-only impact even though a source tag labels it 'Information Disclosure,' a discrepancy defenders should verify against the Cisco advisory.

Cisco Information Disclosure Cisco Roomos Software
NVD
CVSS 3.1
7.5
CVE-2026-56338 MEDIUM PATCH This Month

Denial of service in Capgo's /auth/v1/otp endpoint blocks email-based 2FA enrollment for authenticated users in all versions before 12.128.2. The backend captcha validation subsystem fails to handle exceptions gracefully, consistently returning HTTP 500 errors and preventing users from completing two-factor authentication setup. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the impact is security-control degradation: users cannot activate 2FA, leaving accounts with only single-factor protection.

Denial Of Service Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-12324 HIGH PATCH This Week

Memory safety flaw in the CanvasWebGL graphics component of Mozilla Firefox allows remote attackers to trigger incorrect boundary handling through crafted web content, leading to limited confidentiality, integrity, and availability impact. The issue affects Firefox prior to version 152 and Firefox ESR prior to 140.12, and no public exploit identified at time of analysis. Reported by Mozilla with low complexity and no authentication required (CVSS 7.3).

Mozilla Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-44893 Maven HIGH PATCH GHSA This Week

Memory leak in Netty's HAProxy codec (io.netty:netty-codec-haproxy) allows remote unauthenticated attackers to exhaust server memory by sending PROXY protocol v2 frames containing a malformed PP2_TYPE_SSL TLV with a length below 5 bytes. The flaw causes a retained slice on the pooled cumulation buffer to never be released when an IndexOutOfBoundsException escapes the decoder's narrow exception handler. No public exploit identified at time of analysis, but the issue is trivially reproducible from the advisory's technical detail and affects any service that accepts PROXY v2 input from untrusted peers.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-47316 MEDIUM This Month

Denial of service in Samsung Escargot JavaScript engine at commit 590345cc6258317c5da850d846ce6baaf2afc2d3 stems from multiple improper exceptional-condition handling paths exposed during JavaScript execution: a null pointer dereference when resolving error values in nested eval/throw/finally scenarios, an integer underflow in TypedArray.copyWithin() triggered by resizable ArrayBuffer coercion, and an unguarded assertion failure when array objects transition unexpectedly from fast to slow mode. Attack vector is local and requires user interaction (UI:R), with impact confined entirely to availability - crashing the host process. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Samsung
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-29643 HIGH This Week

Control-flow disruption in XiangShan open-source RISC-V processor allows local authenticated attackers to trigger denial of service through malformed CSR operations that fail to properly invoke trap handlers. Affected commits from November 2024 contain improper exception handling in the NewCSR subsystem that can leave the processor core in a hung state when targeting non-existent CSR addresses. GitHub issue #3959 and pull request #3966 document the flaw and proposed fix. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability. No public exploit code identified and not listed in CISA KEV, suggesting primarily theoretical risk limited to specialized RISC-V development environments.

Denial Of Service N A
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-34388 Go MEDIUM PATCH GHSA This Month

Denial-of-service vulnerability in Fleet device management software prior to version 4.81.0 allows authenticated hosts to crash the entire Fleet server process by sending a malformed log type value to the gRPC Launcher endpoint, disrupting all connected devices, MDM enrollments, and API consumers. The vulnerability requires prior authentication but affects availability across the entire infrastructure. Vendor-released patch: version 4.81.0.

Denial Of Service Suse
NVD GitHub
CVSS 4.0
6.6
EPSS
0.0%
CVE-2025-59787 MEDIUM This Month

2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts. [CVSS 6.5 MEDIUM]

Information Disclosure Access Commander
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28407 Go MEDIUM PATCH This Month

Malcontent versions before 1.21.0 fail to preserve nested archives that cannot be extracted, potentially allowing malicious content to evade detection during supply-chain compromise analysis. An attacker could exploit this by embedding malicious payloads in problematic nested archives that the tool would discard without scanning. The vulnerability has a patch available in version 1.21.0 and later.

Information Disclosure Malcontent Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-20640 MEDIUM This Month

iPhone Mirroring in iOS and iPadOS allows an attacker with physical device access to bypass UI protections and capture screenshots containing sensitive information that should remain hidden during the mirroring session. The vulnerability stems from insufficient state management in the user interface, enabling unauthorized viewing of private data on the iPhone while it is being mirrored to a Mac. No patch is currently available for this medium-severity issue.

Apple iOS Iphone Os Ipados
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVSS 7.5
HIGH This Week

Denial of service in Cisco RoomOS software allows remote unauthenticated attackers to exhaust availability of affected collaboration endpoints and room-based video devices through improper handling of exceptional conditions (CWE-703). The issue was internally discovered by Cisco's RoomOS engineering team as part of a hardening release bundling multiple flaws under this identifier, carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), and has no public exploit identified at time of analysis. Note that the CVSS vector reflects availability-only impact even though a source tag labels it 'Information Disclosure,' a discrepancy defenders should verify against the Cisco advisory.

Cisco Information Disclosure Cisco Roomos Software
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Denial of service in Capgo's /auth/v1/otp endpoint blocks email-based 2FA enrollment for authenticated users in all versions before 12.128.2. The backend captcha validation subsystem fails to handle exceptions gracefully, consistently returning HTTP 500 errors and preventing users from completing two-factor authentication setup. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the impact is security-control degradation: users cannot activate 2FA, leaving accounts with only single-factor protection.

Denial Of Service Capgo
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Memory safety flaw in the CanvasWebGL graphics component of Mozilla Firefox allows remote attackers to trigger incorrect boundary handling through crafted web content, leading to limited confidentiality, integrity, and availability impact. The issue affects Firefox prior to version 152 and Firefox ESR prior to 140.12, and no public exploit identified at time of analysis. Reported by Mozilla with low complexity and no authentication required (CVSS 7.3).

Mozilla Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory leak in Netty's HAProxy codec (io.netty:netty-codec-haproxy) allows remote unauthenticated attackers to exhaust server memory by sending PROXY protocol v2 frames containing a malformed PP2_TYPE_SSL TLV with a length below 5 bytes. The flaw causes a retained slice on the pooled cumulation buffer to never be released when an IndexOutOfBoundsException escapes the decoder's narrow exception handler. No public exploit identified at time of analysis, but the issue is trivially reproducible from the advisory's technical detail and affects any service that accepts PROXY v2 input from untrusted peers.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Denial of service in Samsung Escargot JavaScript engine at commit 590345cc6258317c5da850d846ce6baaf2afc2d3 stems from multiple improper exceptional-condition handling paths exposed during JavaScript execution: a null pointer dereference when resolving error values in nested eval/throw/finally scenarios, an integer underflow in TypedArray.copyWithin() triggered by resizable ArrayBuffer coercion, and an unguarded assertion failure when array objects transition unexpectedly from fast to slow mode. Attack vector is local and requires user interaction (UI:R), with impact confined entirely to availability - crashing the host process. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Samsung
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Control-flow disruption in XiangShan open-source RISC-V processor allows local authenticated attackers to trigger denial of service through malformed CSR operations that fail to properly invoke trap handlers. Affected commits from November 2024 contain improper exception handling in the NewCSR subsystem that can leave the processor core in a hung state when targeting non-existent CSR addresses. GitHub issue #3959 and pull request #3966 document the flaw and proposed fix. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability. No public exploit code identified and not listed in CISA KEV, suggesting primarily theoretical risk limited to specialized RISC-V development environments.

Denial Of Service N A
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Denial-of-service vulnerability in Fleet device management software prior to version 4.81.0 allows authenticated hosts to crash the entire Fleet server process by sending a malformed log type value to the gRPC Launcher endpoint, disrupting all connected devices, MDM enrollments, and API consumers. The vulnerability requires prior authentication but affects availability across the entire infrastructure. Vendor-released patch: version 4.81.0.

Denial Of Service Suse
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts. [CVSS 6.5 MEDIUM]

Information Disclosure Access Commander
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Malcontent versions before 1.21.0 fail to preserve nested archives that cannot be extracted, potentially allowing malicious content to evade detection during supply-chain compromise analysis. An attacker could exploit this by embedding malicious payloads in problematic nested archives that the tool would discard without scanning. The vulnerability has a patch available in version 1.21.0 and later.

Information Disclosure Malcontent Suse
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

iPhone Mirroring in iOS and iPadOS allows an attacker with physical device access to bypass UI protections and capture screenshots containing sensitive information that should remain hidden during the mirroring session. The vulnerability stems from insufficient state management in the user interface, enabling unauthorized viewing of private data on the iPhone while it is being mirrored to a Mac. No patch is currently available for this medium-severity issue.

Apple iOS Iphone Os +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy