Skip to main content

CWE-755

Improper Handling of Exceptional Conditions

333 CVEs Avg CVSS 6.8 MITRE
22
CRITICAL
151
HIGH
153
MEDIUM
6
LOW
67
POC
3
KEV

Monthly

CVE-2026-48036 npm HIGH PATCH GHSA This Week

Drift-detection logic flaw in the @hulumi/drift npm package (versions < 1.4.0) causes the verdict classifier to conflate adapter failure with a clean result, producing cached false-negative 'None / none' verdicts for up to six hours and false-positive incident-severity 'Mixed / high' or 'ConsoleBreakGlass / high' verdicts based on probe liveness rather than CloudTrail evidence. Consumers running drift detection in CI or cron pipelines could silently miss real console-break-glass mutations or be paged on routine provider-version churn. No public exploit identified at time of analysis; the issue is a CWE-755 improper-exception-handling defect rather than a remote attack primitive.

Privilege Escalation
NVD GitHub
EPSS
0.0%
CVE-2026-44505 MEDIUM This Month

Indefinite future hang (denial of service) in Nimiq core-rs-albatross's network-libp2p component allows any remote peer to cause DHT get-record callers to block forever by returning a record that fails signature or structural verification. The root cause is improper error handling in handle_dht_get (swarm.rs): on verifier failure or subsequent inconsistent-state transitions, the oneshot channel used by Network::dht_get is never completed and per-query bookkeeping is never cleaned up, leaving the awaiting caller suspended without a timeout. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV. The issue is patched in version 1.4.0.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2023-43686 MEDIUM This Month

An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-49235 Cargo HIGH PATCH GHSA This Week

Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Document Type Definition (DTD) inside RRDP repository content. Exploitation requires no authentication or user interaction (CVSS 4.0 8.7, VA:H), and no public exploit identified at time of analysis. A successful crash halts RPKI relying-party processing, which can degrade route origin validation for networks that depend on Routinator output.

Denial Of Service Routinator
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-49232 HIGH This Week

Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a large number of HTTP or RTR connections, exhausting file descriptors and triggering an unrecoverable exit. Only deployments exposing the HTTP or RTR server to untrusted networks are affected. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Routinator
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-48961 HIGH PATCH This Week

Denial of service in the zipdetails CLI tool bundled with Perl's IO::Compress versions 2.207 through 2.219 causes the script to abort with status 255 when parsing a ZIP archive containing an Info-ZIP Unix Extra Field (tag 0x7875) that declares an 8-byte UID or GID size. The bug is a typo in the source (calling unpackValueQ instead of unpackValue_Q), and no public exploit is identified at time of analysis; library callers of IO::Compress/IO::Uncompress are unaffected. EPSS is negligible (0.02%) and impact is limited to crashing the inspection tool, not the consuming application.

Denial Of Service Io Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-8162 npm HIGH PATCH GHSA This Week

Denial of service crashes multiparty Node.js parser versions ≤4.2.3 when processing malformed percent-encoded filename* parameters in multipart/form-data uploads. Attackers can remotely crash any Node.js service using vulnerable multiparty versions by sending a single crafted HTTP request with no authentication required (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, but exploitation is trivial given the straightforward attack vector. Vendor-released patch: multiparty@4.3.0.

Denial Of Service Multiparty
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44902 npm HIGH PATCH GHSA This Week

Remote unauthenticated attackers can crash Node.js applications running the OpenTelemetry Prometheus exporter by sending a single malformed HTTP request to the metrics endpoint (default port 9464). The vulnerability exists in @opentelemetry/exporter-prometheus versions prior to 0.217.0, where missing error handling around URL parsing causes an uncaught TypeError when processing invalid URIs, terminating the entire Node.js process. The metrics endpoint binds to 0.0.0.0 by default and requires no authentication, making exploitation trivial for any network-accessible attacker. Publicly available exploit code exists (one-line netcat command demonstrated in vendor advisory). No active exploitation confirmed at time of analysis, though the attack complexity is minimal (CVSS AC:L) and the impact severe for production observability infrastructure.

Denial Of Service Node.js
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23666 HIGH PATCH NEWS Exploit Unlikely This Week

Denial of service in Microsoft .NET Framework 3.5 through 4.8.1 allows unauthenticated remote attackers to crash applications via race condition exploitation over a network. The vulnerability stems from improper synchronization when multiple threads access shared resources concurrently (CWE-755). Affected versions span .NET Framework 3.5, 4.6.2, 4.7.x, 4.8, and 4.8.1 across multiple component combinations. Microsoft has released patches addressing the flaw. No public exploit code or active explo

Authentication Bypass Microsoft Net Framework 3 5 Microsoft Net Framework 3 5 And 4 7 2 Microsoft Net Framework 3 5 And 4 8 Microsoft Net Framework 3 5 And 4 8 1 +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40074 npm MEDIUM PATCH GHSA This Month

SvelteKit versions prior to 2.57.1 are vulnerable to denial of service when the redirect() function is called from the handle server hook with HTTP header-invalid characters in the location parameter. An unauthenticated remote attacker can trigger an unhandled TypeError by supplying unsanitized user input to the redirect location, potentially causing application crashes on certain platforms. The vulnerability is fixed in version 2.57.1.

Information Disclosure Kit
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
EPSS 0%
HIGH PATCH This Week

Drift-detection logic flaw in the @hulumi/drift npm package (versions < 1.4.0) causes the verdict classifier to conflate adapter failure with a clean result, producing cached false-negative 'None / none' verdicts for up to six hours and false-positive incident-severity 'Mixed / high' or 'ConsoleBreakGlass / high' verdicts based on probe liveness rather than CloudTrail evidence. Consumers running drift detection in CI or cron pipelines could silently miss real console-break-glass mutations or be paged on routine provider-version churn. No public exploit identified at time of analysis; the issue is a CWE-755 improper-exception-handling defect rather than a remote attack primitive.

Privilege Escalation
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Indefinite future hang (denial of service) in Nimiq core-rs-albatross's network-libp2p component allows any remote peer to cause DHT get-record callers to block forever by returning a record that fails signature or structural verification. The root cause is improper error handling in handle_dht_get (swarm.rs): on verifier failure or subsequent inconsistent-state transitions, the oneshot channel used by Network::dht_get is never completed and per-query bookkeeping is never cleaned up, leaving the awaiting caller suspended without a timeout. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV. The issue is patched in version 1.4.0.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.2
MEDIUM This Month

An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Mozilla Denial Of Service
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Document Type Definition (DTD) inside RRDP repository content. Exploitation requires no authentication or user interaction (CVSS 4.0 8.7, VA:H), and no public exploit identified at time of analysis. A successful crash halts RPKI relying-party processing, which can degrade route origin validation for networks that depend on Routinator output.

Denial Of Service Routinator
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a large number of HTTP or RTR connections, exhausting file descriptors and triggering an unrecoverable exit. Only deployments exposing the HTTP or RTR server to untrusted networks are affected. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Routinator
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Denial of service in the zipdetails CLI tool bundled with Perl's IO::Compress versions 2.207 through 2.219 causes the script to abort with status 255 when parsing a ZIP archive containing an Info-ZIP Unix Extra Field (tag 0x7875) that declares an 8-byte UID or GID size. The bug is a typo in the source (calling unpackValueQ instead of unpackValue_Q), and no public exploit is identified at time of analysis; library callers of IO::Compress/IO::Uncompress are unaffected. EPSS is negligible (0.02%) and impact is limited to crashing the inspection tool, not the consuming application.

Denial Of Service Io Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service crashes multiparty Node.js parser versions ≤4.2.3 when processing malformed percent-encoded filename* parameters in multipart/form-data uploads. Attackers can remotely crash any Node.js service using vulnerable multiparty versions by sending a single crafted HTTP request with no authentication required (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, but exploitation is trivial given the straightforward attack vector. Vendor-released patch: multiparty@4.3.0.

Denial Of Service Multiparty
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote unauthenticated attackers can crash Node.js applications running the OpenTelemetry Prometheus exporter by sending a single malformed HTTP request to the metrics endpoint (default port 9464). The vulnerability exists in @opentelemetry/exporter-prometheus versions prior to 0.217.0, where missing error handling around URL parsing causes an uncaught TypeError when processing invalid URIs, terminating the entire Node.js process. The metrics endpoint binds to 0.0.0.0 by default and requires no authentication, making exploitation trivial for any network-accessible attacker. Publicly available exploit code exists (one-line netcat command demonstrated in vendor advisory). No active exploitation confirmed at time of analysis, though the attack complexity is minimal (CVSS AC:L) and the impact severe for production observability infrastructure.

Denial Of Service Node.js
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET Framework 3.5 through 4.8.1 allows unauthenticated remote attackers to crash applications via race condition exploitation over a network. The vulnerability stems from improper synchronization when multiple threads access shared resources concurrently (CWE-755). Affected versions span .NET Framework 3.5, 4.6.2, 4.7.x, 4.8, and 4.8.1 across multiple component combinations. Microsoft has released patches addressing the flaw. No public exploit code or active explo

Authentication Bypass Microsoft Net Framework 3 5 Microsoft Net Framework 3 5 And 4 7 2 +4
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

SvelteKit versions prior to 2.57.1 are vulnerable to denial of service when the redirect() function is called from the handle server hook with HTTP header-invalid characters in the location parameter. An unauthenticated remote attacker can trigger an unhandled TypeError by supplying unsanitized user input to the redirect location, potentially causing application crashes on certain platforms. The vulnerability is fixed in version 2.57.1.

Information Disclosure Kit
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy