Denial Of Service
Monthly
Denial of service in MongoDB Server 7.0, 8.0, and 8.2 allows authenticated remote attackers to crash the database by inserting documents that trigger updates to a maliciously created '2dsphere_bucket' or 'queryable_encrypted_range' index on a non-timeseries bucket collection. The flaw stems from a reachable assertion (CWE-617) and is reported by MongoDB itself with a vendor patch available; no public exploit identified at time of analysis.
Broken access control in Arcane's GitOps backend (versions <= 1.18.1) allows any authenticated low-privilege user to exfiltrate plaintext Git credentials (PATs/SSH keys) stored for source-of-truth repositories. Eight of nine /api/customize/git-repositories endpoints omit the checkAdmin() gate, letting a 'user' role attacker repoint a repository URL to an attacker-controlled host and trigger a /test or /branches call that transmits the decrypted token via HTTP Basic auth. No public exploit identified at time of analysis, but the GHSA advisory documents a complete attack chain and a patched release (1.19.0) is available.
Prototype pollution in the npm package form-data-objectizer (<= 1.0.0) lets unauthenticated remote attackers mutate Object.prototype by submitting a single HTTP form field whose name uses bracket notation such as __proto__[polluted] or constructor[prototype][polluted]. The defect lives in treatInitial/treatSecond inside index.cjs, where an 'in' check walks the prototype chain and lets the parser write to inherited properties. CVSS is 8.2 (High) with Integrity:High; publicly available exploit code exists (working PoC published in the GHSA advisory), but there is no public exploit identified as being used in attacks and no CISA KEV listing.
Denial of service in GnuTLS affects the Datagram Transport Layer Security (DTLS) packet reordering logic, where the comparator function fails to correctly handle packets with duplicate sequence numbers. Remote unauthenticated attackers can send specially crafted DTLS packet sequences to trigger unstable ordering or undefined behavior, causing service disruption. No public exploit identified at time of analysis, and the issue is rated CVSS 7.5 (High) for availability impact only.
Denial of service in M-Files Server versions prior to 26.5.16015.0, 26.2 LTS, and 25.8 LTS SR3 allows an authenticated remote attacker to crash the MFserver process, disrupting document management services for all connected users. The flaw is reachable over the network with low privileges and no user interaction, but has no impact on confidentiality or integrity. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Mattermost Desktop App can be repeatedly crashed by malicious server administrators through JavaScript URL injection in pop-up windows. Attackers controlling a Mattermost server can force connected desktop clients to become unusable by exploiting improper URL validation, requiring user interaction (connecting to the malicious server). No public exploit code identified at time of analysis, though the attack method is trivial to implement given the disclosed details.
Mattermost Desktop App can be crashed remotely by malicious server administrators or plugin developers exploiting insufficient isolation of server-rendered content. Authenticated attackers with low-privilege server access who can control rendered content (via compromised server, malicious plugin, or modified server responses) can invoke window.close() to terminate the desktop client, causing a client-side denial of service. EPSS data not available; no public exploit code identified at time of analysis. CVSS 3.5 (Low severity) reflects limited impact scope - disruption to individual user sessions rather than system-wide compromise.
Memory exhaustion denial of service in Mattermost Server versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 allows authenticated attackers to crash the server by uploading maliciously crafted 7zip archives containing excessive folder declarations. The vulnerability stems from insufficient validation of 7zip archive structure before decompression, enabling resource exhaustion attacks with low attack complexity. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
Resource exhaustion in Mattermost Server 10.11.x through 11.5.1 allows authenticated users to trigger denial of service by sending oversized HTTP POST requests to the /api/v1/meetings endpoint. The vulnerability affects three active release branches with no request size validation on the meeting start API. EPSS data not available; no confirmed active exploitation (not in CISA KEV); authentication requirement (PR:L) reduces immediate exposure to internal or compromised users. Vendor advisory MMSA-2026-00608 confirms the issue.
Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows authenticated remote attackers to trigger denial of service via crafted NGAP UERadioCapabilityCheckResponse messages. The vulnerability exists in ngap/dispatcher.go where insufficient null pointer validation permits exploitation through the 5G network interface. Public exploit code exists (GitHub issue #675), and vendor-released patch v2.2.0 is available via PR #666, which also addresses multiple related security issues in NGAP message handling and mobile identity parsing.
Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access and Mobility Management Function via crafted NGAP messages that trigger null pointer dereference in ngap/handler.go. Public exploit code exists (GitHub issue #674). Affects OMEC 5G core network deployments. Patched in version 2.2.0 via PR #666, which addresses multiple security issues including malformed SUCI handling and missing null checks across NGAP message parsing.
Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger denial of service via crafted NGAP messages to the RANConfiguration function. The vulnerability (CVE-2026-8781) affects the Access and Mobility Management Function component of the Open Mobile Evolved Core, a critical element in 5G networks. Publicly available exploit code exists (GitHub issue #673), but CVSS 2.1 (Low) reflects limited availability impact and low-privilege authentication requirement. Vendor-released patch: version 2.2.0 (GitHub PR #666).
In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length Client ID while CleanSession is set to 0, the broker correctly replies with a CONNACK return code 0x02 (Identifier Rejected) but fails to explicitly close the TCP connection. Since the surrounding connection teardown logic is not guaranteed to execute, each such invalid CONNECT attempt leaves the underlying socket open. Repeated attempts cause server-side resource exhaustion due to accumulating file descriptors and memory usage, potentially resulting in denial of service.
Resource exhaustion in Vercel AI SDK's provider-utils package (versions ≤3.0.97) allows authenticated remote attackers to consume excessive system resources via specially crafted requests to JSON response handlers. Public proof-of-concept exists. EPSS data not available. Not listed in CISA KEV. CVSS 4.0 score of 2.1 reflects low availability impact (VA:L) with authenticated network access (PR:L). Vendor non-responsive to initial disclosure.
Use-after-free vulnerability in Open5GS NRF component (versions up to 2.7.7) allows authenticated remote attackers to trigger denial of service via the discover_handler function in nghttp2-server.c. Publicly available exploit code exists (GitHub issue #4476), but vendor has not responded to early disclosure. EPSS data not available; CVSS 4.3 (Medium) reflects limited scope (DoS only, authenticated access required). Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC.
Remote authenticated denial of service in Open5GS versions up to 2.7.7 allows attackers to crash the AUSF (Authentication Server Function) component via crafted timer manipulation. The vulnerability resides in ogs_timer_add function within nausf-handler.c. Public exploit code exists via GitHub issue #4472, though vendor has not responded to disclosure. EPSS data unavailable; CVSS 4.0 scores only 2.1 due to low availability impact and authenticated requirement, but the existence of public exploit elevates practical risk for exposed 5G core deployments.
Denial of service in Open5GS NRF (Network Repository Function) allows authenticated remote attackers to crash the service by exhausting the nf_service resource pool. Open5GS versions up to 2.7.7 fail to validate pool allocation during NF service registration, triggering assertion failures that terminate the process. Publicly available exploit code exists (GitHub issue #4466). EPSS data not available, not listed in CISA KEV. Patch released via commit 819db11a08b9736a3576c4f99ceb28f7eb99523a, merged in PR #4534.
Denial of service vulnerability in Open5GS NRF client management (versions ≤2.7.7) allows authenticated remote attackers to crash the Network Repository Function service via malformed client pool arguments. Public exploit code exists (GitHub issue #4464), but vendor has not responded to disclosure. CVSS base score of 4.3 reflects low severity due to limited availability impact and authentication requirement. EPSS data not provided; KEV status not applicable for this unpatched issue.
Denial of service in Open5GS versions up to 2.7.6 allows authenticated remote attackers to crash the Network Repository Function (NRF) component via crafted nfInstanceId parameter manipulation in the ogs_sbi_nf_instance_set_id function. Publicly available exploit code exists (GitHub issue #4462), but vendor has not responded to early responsible disclosure. EPSS data not available, not listed in CISA KEV. CVSS 4.3 (Medium) reflects low impact (availability only) and authenticated attack vector.
Denial of service in Open5GS versions up to 2.7.7 allows authenticated remote attackers to crash the Network Repository Function (NRF) component by manipulating service-names or snssais parameters in SBI messages. A public proof-of-concept exploit exists via GitHub issue #4460, and the vendor has not responded to the early disclosure. EPSS data unavailable, but the low CVSS 4.3 score reflects limited impact (availability only, authenticated access required), reducing real-world urgency for most deployments.
Denial of service in Open5GS versions up to 2.7.7 allows authenticated remote attackers to crash the Network Repository Function (NRF) component via malformed target-plmn-list parameters. The vulnerability targets a parsing function in the Service-Based Interface (SBI) library and has publicly available exploit code (GitHub issue #4458). CVSS 4.3 reflects low severity, but the vendor has not responded to early disclosure attempts, leaving no confirmed patch timeline. EPSS and KEV data unavailable - exploitation likelihood beyond POC unknown.
The qs Node.js library (versions 6.11.1 through 6.15.1) crashes with a synchronous TypeError when stringify is called with both arrayFormat: 'comma' and encodeValuesOnly: true on arrays containing null or undefined elements. Applications using these non-default options together will experience request failures (typically 500 errors in web frameworks) when processing user input with null array values. The vulnerability was introduced in commit 4c4b23d (PR #463, January 2023) and patched in v6.15.2 (commit 21f80b3). No public exploit or CISA KEV listing identified at time of analysis, though exploitation requires only crafting JSON input with null array elements.
Sticky Notes Widget 3.0.6 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Sticky Notes & Color Widgets 1.4.2 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
My Notes Safe 5.3 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Macaron Notes 5.5 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Color Notes 1.4 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Internet Download Manager 6.38.12 contains a buffer overflow vulnerability in the Scheduler component that allows local attackers to crash the application by supplying oversized input. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Memory corruption in radare2 6.1.5's GDB client allows remote attackers to crash the application or potentially execute code through malformed thread information responses. The vulnerability triggers when the GDB remote protocol's qsThreadInfo command fails after qfThreadInfo has allocated memory, causing a use-after-free condition. While no public exploits have been identified, the CVSS 8.7 score reflects the potential for remote unauthenticated denial of service impact.
Denial of service vulnerability in coreMQTT versions before 5.0.1 allows remote MQTT brokers to crash client applications through malformed MQTT v5.0 property packets. The vulnerability stems from missing bounds validation in the property parser, enabling out-of-bounds read conditions (CWE-125). Amazon Web Services has issued a security bulletin and released version 5.0.1 to address this issue.
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote attackers can trigger memory corruption in radare2 6.1.5 through its GDB remote debugging interface, causing denial of service or potentially achieving code execution. The use-after-free vulnerability in gdbr_threads_list() occurs when processing a valid qfThreadInfo response followed by a malformed qsThreadInfo response, leading to improper memory management. VulnCheck reported this issue and vendor patch commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c addresses the vulnerability.
Remote denial-of-service vulnerability in Nimiq full nodes allows unauthenticated attackers to crash nodes by publishing malformed Kademlia DHT records with incorrect Ed25519 signature lengths. The vulnerability triggers a panic in the Ed25519 signature verification code when processing DHT records with signatures not exactly 64 bytes. Vendor-released patch: v1.4.0.
Memory exhaustion vulnerability in Nodemailer smtp-server before v3.18.3 enables remote denial of service attacks through unbounded command line processing. The vulnerability allows unauthenticated attackers to crash SMTP services by sending oversized commands that exhaust server memory. Public exploit code exists and the issue is rated as highly automatable by CISA SSVC framework, though not yet listed in CISA KEV.
Unauthenticated attackers can modify Smartcat API credentials in the Smartcat Translator for WPML plugin through a missing capability check on the 'routeData' REST endpoint, allowing hijacking of translation services or denial of service. All versions through 3.1.77 are affected. The vulnerability requires only network access and no user interaction, making it remotely exploitable by any unauthenticated actor against default WordPress configurations running the vulnerable plugin.
Improper isolation of GPU HW register space could allow a privileged attacker in malicious Guest Virtual Machine (VM) to perform unauthorized access to specific victim range of GPU MMIO register. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
DDR5 memory modules in multiple AMD Ryzen processor families contain an insecure default PMIC (Power Management Integrated Circuit) interface configuration that allows local users with standard privileges to cause permanent denial of service or corrupt memory module integrity via unprotected firmware access. The vulnerability affects Ryzen 4000, 7000, 7020, 7030, 7035, 7040, 7045 series processors and Threadripper Pro 3000 WX-series, requiring local system access but no special privileges or user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.
Buffer overflow in AMD Sensor Fusion Hub Driver allows local authenticated attackers to write out of bounds, causing denial of service or system crash. The vulnerability affects multiple Ryzen processor families (4000, 5000, 7000, 7020, 7030, 7035, 7040 series and Ryzen AI 300 series) with Radeon integrated graphics across Windows mobile and desktop platforms. No active exploitation has been confirmed at time of analysis.
Arbitrary code execution and denial of service in AMD Platform Management Framework (PMF) affects Ryzen 7035, 7040, 8040 mobile processors and Ryzen Embedded 8000 series. A local authenticated attacker exploiting an unchecked return value vulnerability can write to arbitrary memory locations, potentially escalating privileges from low to high integrity across system boundaries. The CVSS 4.0 score of 7.1 reflects local attack vector with low complexity but requires specific attack timing conditions (AT:P), though the cross-scope impact (S:H) and high confidentiality/integrity impact to subsequent systems elevate real-world risk for enterprise environments with AMD mobile processors.
Buffer overflow in the AMD Secure Processor (ASP) PCI driver affects dozens of AMD Ryzen, EPYC, and Threadripper processor families across desktop, mobile, and embedded variants. Local attackers with user-level privileges can trigger improper input validation in the driver to cause a crash or denial of service, with potential for integrity impact. The vulnerability requires local access and authenticated user privileges; no active exploitation in the wild has been confirmed, and vendor-released patches are available.
Use-After-Free vulnerability in the AMD Secure Processor (ASP) PCI driver affects multiple Ryzen, Threadripper, EPYC, and Athlon processor families due to improper input validation. A local attacker with user-level privileges can trigger the UAF condition, resulting in denial of service via platform crash or potential loss of platform integrity. Vendor-released patch: AMD Ryzen Chipset Driver 7.02.13.148 (or equivalent Catalyst driver versions for embedded SKUs). No public exploit identified at time of analysis.
Stack exhaustion in MongoDB PHP driver allows remote denial of service when processing deeply nested BSON documents from untrusted sources. Unauthenticated attackers can crash applications by sending maliciously crafted BSON payloads with excessive nesting levels, affecting all versions of the PHP driver that parse BSON without depth limits. The vulnerability requires high attack complexity but results in complete availability loss.
Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forgot password flow allows an unauthenticated attacker to repeatedly trigger password reset emails for a known account without server-side throttling. In self-hosted deployments, this can be abused to send large volumes of unwanted email and consume downstream email delivery resources. This vulnerability is fixed in 1.180.10.
Regular expression denial of service (ReDoS) in Svelte 5.51.5 through 5.55.6 allows attackers to cause application hang or crash by passing unconstrained-length tag names to the `<svelte:element>` component, triggering exponential regex evaluation time in the runtime tag validation logic. The vulnerability requires applications to accept user-controlled tag input without length or content restrictions.
Excessive memory allocation in devalue.parse (npm package) allows remote attackers to exhaust process memory via crafted sparse array payloads. Affects versions 5.6.3 through 5.8.0. Exploits JavaScript engine behavior where declaring large array lengths triggers eager memory allocation in V8, enabling denial-of-service with minimal payload size. Vendor-released patch 5.8.1 forces sparse allocation by touching MAX_ARRAY_INDEX before setting length. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists in security advisory test cases.
Cross-Site Request Forgery via image URL manipulation in Open WebUI allows authenticated users to perform unauthorized actions on behalf of victims by embedding malicious image URLs in profile pictures, model images, shared chats, and notes. When any user (including admins) views these compromised images, their browser sends GET requests to attacker-controlled servers, enabling cookie theft, denial of service, or execution of sensitive operations. Publicly available proof-of-concept code demonstrates exploitation across multiple attack vectors. The vulnerability affects all versions up to and including v0.9.2, with a vendor-released patch available in v0.9.3.
libsixel versions prior to 1.8.7-r2 crash on memory allocation failure in sixel_decode_raw and sixel_decode functions due to incorrect NULL pointer validation, allowing local attackers to trigger denial of service under low-memory conditions. The vulnerability affects any application using libsixel's public decoding APIs when system memory pressure causes malloc to fail.
Use after free in Extensions in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Use after free in Google Lens in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform a denial of service via a crafted HTML page. (Chromium security severity: High)
Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Network in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Tab Groups in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
Use after free in Blink in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)
Use after free in HID in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Aura in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Input in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in FileSystem in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Heap buffer overflow in OpenImageIO 3.0.x (before 3.0.18.0) and 3.1.x (before 3.1.13.0) allows remote attackers to achieve denial of service or potentially arbitrary code execution via crafted DPX image files. The vulnerability stems from signed integer overflow in buffer size calculations within the DPX color converter, causing undersized heap allocations. Attack requires victim to open a malicious DPX file (user interaction required per CVSS UI:R). No public exploit code or active exploitation confirmed at time of analysis, though the technical details in the GitHub advisory provide sufficient detail for proof-of-concept development.
Integer division by zero in GStreamer gst-plugins-good before version 1.28.2 allows local attackers to cause denial of service by supplying a maliciously crafted MP4 file with invalid atom data in audio tracks, triggering a crash in the qtdemux_audio_caps parser function without requiring user interaction or elevated privileges.
Integer division by zero in GStreamer gst-plugins-good before version 1.28.2 allows local attackers to cause denial of service by crafting malicious MP4 audio files. The isomp4 plugin's qtdemux_parse_trak function fails to validate atom data before performing division operations, causing application crash when parsing specially crafted audio tracks. No authentication required; exploitation requires only local file access and media playback.
Unbounded memory allocation and CPU exhaustion in OpenTelemetry Java SDK's baggage propagation allows remote unauthenticated attackers to degrade or deny service by sending oversized baggage headers. Affected components - W3CBaggagePropagator, JaegerPropagator, and OtTracePropagator - all lacked enforcement of the W3C Baggage specification's recommended size and entry limits, causing character-by-character parsing of arbitrarily large inputs. A distinctive amplification risk exists: baggage is automatically re-injected into all outgoing requests, meaning a single malicious inbound payload can fan out DoS effects to downstream services that never directly received the original request. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Matrix Synapse homeserver versions prior to 1.152.1 allow authenticated local users to trigger CPU starvation that denies service to other users by exploiting unbounded lock timeout intervals in the WorkerLock implementation. Synapse deployments that do not trust all local users face service availability risk from malicious authenticated accounts. Vendor-released patch available in version 1.152.1 (GitHub commit 3f58bc50dfba5768ee43ce48c5e74c25ba0b078a confirms fix). No public exploit identified at time of analysis, though the attack mechanism is straightforward for any authenticated user.
Infinite recursion in Vvveb admin controller exhausts PHP memory through repeated permission checks when low-privilege users access forbidden admin URLs. Sustained requests deplete worker memory causing site-wide denial of service. Fixed in version 1.0.8.3 via commit c766e84b which removes Base class inheritance from Error403 controller to break the dispatch cycle. No evidence of active exploitation but trivial to reproduce with authenticated low-privilege account.
Fleet server crashes from a single malformed gRPC request to the PublishLogs endpoint, allowing complete denial of service. An attacker with any enrolled Launcher node key can terminate the Fleet server process instantly via a crafted gRPC call. CVSS 8.7 (High) reflects the ease and impact, though exploitation requires prior enrollment of a Launcher host. Vendor-released patch version 4.81.0 available. No public exploit identified at time of analysis, but attack requires minimal sophistication given authenticated access.
Denial of service in PostgreSQL allows remote unauthenticated attackers to crash the database server via recursive SSL/GSS negotiation when connecting to AF_UNIX or TCP sockets (if SSL and GSS are both disabled). Affects all PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. No active exploitation confirmed (not in CISA KEV). Vendor-released patches available across all supported major versions. EPSS data not available, but CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates high availability impact with low barrier to exploitation.
Memory exhaustion in Elixir Plug 1.4.0 through 1.19.1 allows remote unauthenticated attackers to crash BEAM VM processes via unbounded buffer accumulation during multipart/form-data header parsing. The vulnerability mirrors CVE-2026-8466 in Cowboy: read_part_headers/2 recursively accumulates incoming bytes without size limits when parsing malformed multipart requests that never deliver complete header sections. Vendor-released patches available for all affected branches. No public exploit identified at time of analysis, but exploitation requires only basic HTTP client tools.
GitLab CE and EE are vulnerable to authenticated denial of service through excessive memory consumption, affecting all installations from version 8.3 up to the patched releases. An authenticated user with minimal privileges can submit maliciously crafted input that bypasses proper validation, causing the server to allocate memory without adequate bounds until service degradation or outage occurs. EPSS is low at 0.06% (18th percentile), no active exploitation is confirmed (CISA KEV absent, SSVC exploitation status: none), and a vendor patch was released on May 13, 2026.
Denial of service in GitLab CE/EE allows unauthenticated remote attackers to disrupt service availability by sending specially crafted requests that exploit insufficient input validation. Affected versions span 9.0 through 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 across both Community and Enterprise editions, with no public exploit identified at time of analysis and a low EPSS score (0.04%) indicating limited near-term exploitation likelihood despite the network-reachable attack surface.
Denial-of-service in GitLab Enterprise Edition allows a crafted file upload to exhaust service availability through improper deserialization validation. The vulnerability spans an exceptionally wide range, affecting all GitLab EE instances from version 11.9 through the 18.11 line until patched releases. There is no public exploit identified at time of analysis and EPSS sits at 0.02% (4th percentile), indicating low observed exploitation pressure, though the breadth of the affected version range means unpatched installations represent a meaningful attack surface for availability disruption.
Denial of service in GitLab Community and Enterprise Editions (versions 18.5 through 18.11.2) allows remote unauthenticated attackers to exhaust resources by submitting specially crafted JSON payloads that bypass input validation. The flaw is network-reachable with low complexity and no authentication required, but only impacts availability (CVSS 7.5, A:H). No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04% (11th percentile), though CISA SSVC flags the issue as automatable.
Denial of service in GitLab Community and Enterprise Edition versions 18.5 through 18.11.2 allows unauthenticated remote attackers to disrupt service availability by sending specially crafted payloads to certain API endpoints. The flaw maps to CWE-1284 (improper validation of specified quantity in input) and has been patched in 18.9.7, 18.10.6, and 18.11.3. No public exploit identified at time of analysis and EPSS probability is very low (0.03%, 9th percentile), but the SSVC framework flags the attack as automatable with partial technical impact.
Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to exhaust conductor resources by supplying file:///dev/zero as an image URL, triggering unbounded checksum calculations that never terminate. All Ironic versions from 0 through 35.x prior to commit a3f6d73 are affected. No public exploit independently confirmed but SSVC data indicates proof-of-concept exists; EPSS sits at 0.01% (2nd percentile), consistent with low widespread exploitation likelihood despite the poc signal.
{ isRaw: true }]` tuple, which is passed directly into Knex's `db.connection.raw()` without sanitization. Affected versions are @strapi/content-type-builder <=5.33.1 (v5) and @strapi/plugin-content-type-builder <=4.26.0 (v4), with impact ranging from arbitrary file read and denial of service to remote code execution on database engines that permit external program execution. No public exploit identified at time of analysis; EPSS is low at 0.13% and CISA SSVC notes exploitation status of 'none', though vendor-confirmed remediation is available.
Uncontrolled resource consumption in Grafana OSS allows authenticated low-privilege users to trigger an out-of-memory (OOM) crash by exploiting the $__timeGroup macro against a configured SQL datasource. The attack is slow by nature - requiring upwards of 30 minutes to exhaust server memory - and affects Grafana OSS versions spanning from 8.0.0 through 13.0.1. Grafana reported this vulnerability directly, a vendor patch is available across all affected release branches, and no public exploit code or active exploitation has been identified at time of analysis.
Unbounded memory allocation in Grafana OSS's plugin resources endpoint allows any authenticated low-privileged user to trigger an out-of-memory condition by sending a sufficiently large HTTP request body, resulting in denial of service against the Grafana instance. Affected versions span a wide range from 6.7.0 through 13.0.1, with vendor-released security patches available across all supported branches. No public exploit exists and CISA has not added this to the KEV catalog; the EPSS score of 0.04% (12th percentile) reflects very low observed exploitation probability.
Denial of service in MongoDB Server 7.0, 8.0, and 8.2 allows authenticated remote attackers to crash the database by inserting documents that trigger updates to a maliciously created '2dsphere_bucket' or 'queryable_encrypted_range' index on a non-timeseries bucket collection. The flaw stems from a reachable assertion (CWE-617) and is reported by MongoDB itself with a vendor patch available; no public exploit identified at time of analysis.
Broken access control in Arcane's GitOps backend (versions <= 1.18.1) allows any authenticated low-privilege user to exfiltrate plaintext Git credentials (PATs/SSH keys) stored for source-of-truth repositories. Eight of nine /api/customize/git-repositories endpoints omit the checkAdmin() gate, letting a 'user' role attacker repoint a repository URL to an attacker-controlled host and trigger a /test or /branches call that transmits the decrypted token via HTTP Basic auth. No public exploit identified at time of analysis, but the GHSA advisory documents a complete attack chain and a patched release (1.19.0) is available.
Prototype pollution in the npm package form-data-objectizer (<= 1.0.0) lets unauthenticated remote attackers mutate Object.prototype by submitting a single HTTP form field whose name uses bracket notation such as __proto__[polluted] or constructor[prototype][polluted]. The defect lives in treatInitial/treatSecond inside index.cjs, where an 'in' check walks the prototype chain and lets the parser write to inherited properties. CVSS is 8.2 (High) with Integrity:High; publicly available exploit code exists (working PoC published in the GHSA advisory), but there is no public exploit identified as being used in attacks and no CISA KEV listing.
Denial of service in GnuTLS affects the Datagram Transport Layer Security (DTLS) packet reordering logic, where the comparator function fails to correctly handle packets with duplicate sequence numbers. Remote unauthenticated attackers can send specially crafted DTLS packet sequences to trigger unstable ordering or undefined behavior, causing service disruption. No public exploit identified at time of analysis, and the issue is rated CVSS 7.5 (High) for availability impact only.
Denial of service in M-Files Server versions prior to 26.5.16015.0, 26.2 LTS, and 25.8 LTS SR3 allows an authenticated remote attacker to crash the MFserver process, disrupting document management services for all connected users. The flaw is reachable over the network with low privileges and no user interaction, but has no impact on confidentiality or integrity. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Mattermost Desktop App can be repeatedly crashed by malicious server administrators through JavaScript URL injection in pop-up windows. Attackers controlling a Mattermost server can force connected desktop clients to become unusable by exploiting improper URL validation, requiring user interaction (connecting to the malicious server). No public exploit code identified at time of analysis, though the attack method is trivial to implement given the disclosed details.
Mattermost Desktop App can be crashed remotely by malicious server administrators or plugin developers exploiting insufficient isolation of server-rendered content. Authenticated attackers with low-privilege server access who can control rendered content (via compromised server, malicious plugin, or modified server responses) can invoke window.close() to terminate the desktop client, causing a client-side denial of service. EPSS data not available; no public exploit code identified at time of analysis. CVSS 3.5 (Low severity) reflects limited impact scope - disruption to individual user sessions rather than system-wide compromise.
Memory exhaustion denial of service in Mattermost Server versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 allows authenticated attackers to crash the server by uploading maliciously crafted 7zip archives containing excessive folder declarations. The vulnerability stems from insufficient validation of 7zip archive structure before decompression, enabling resource exhaustion attacks with low attack complexity. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
Resource exhaustion in Mattermost Server 10.11.x through 11.5.1 allows authenticated users to trigger denial of service by sending oversized HTTP POST requests to the /api/v1/meetings endpoint. The vulnerability affects three active release branches with no request size validation on the meeting start API. EPSS data not available; no confirmed active exploitation (not in CISA KEV); authentication requirement (PR:L) reduces immediate exposure to internal or compromised users. Vendor advisory MMSA-2026-00608 confirms the issue.
Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows authenticated remote attackers to trigger denial of service via crafted NGAP UERadioCapabilityCheckResponse messages. The vulnerability exists in ngap/dispatcher.go where insufficient null pointer validation permits exploitation through the 5G network interface. Public exploit code exists (GitHub issue #675), and vendor-released patch v2.2.0 is available via PR #666, which also addresses multiple related security issues in NGAP message handling and mobile identity parsing.
Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access and Mobility Management Function via crafted NGAP messages that trigger null pointer dereference in ngap/handler.go. Public exploit code exists (GitHub issue #674). Affects OMEC 5G core network deployments. Patched in version 2.2.0 via PR #666, which addresses multiple security issues including malformed SUCI handling and missing null checks across NGAP message parsing.
Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger denial of service via crafted NGAP messages to the RANConfiguration function. The vulnerability (CVE-2026-8781) affects the Access and Mobility Management Function component of the Open Mobile Evolved Core, a critical element in 5G networks. Publicly available exploit code exists (GitHub issue #673), but CVSS 2.1 (Low) reflects limited availability impact and low-privilege authentication requirement. Vendor-released patch: version 2.2.0 (GitHub PR #666).
In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length Client ID while CleanSession is set to 0, the broker correctly replies with a CONNACK return code 0x02 (Identifier Rejected) but fails to explicitly close the TCP connection. Since the surrounding connection teardown logic is not guaranteed to execute, each such invalid CONNECT attempt leaves the underlying socket open. Repeated attempts cause server-side resource exhaustion due to accumulating file descriptors and memory usage, potentially resulting in denial of service.
Resource exhaustion in Vercel AI SDK's provider-utils package (versions ≤3.0.97) allows authenticated remote attackers to consume excessive system resources via specially crafted requests to JSON response handlers. Public proof-of-concept exists. EPSS data not available. Not listed in CISA KEV. CVSS 4.0 score of 2.1 reflects low availability impact (VA:L) with authenticated network access (PR:L). Vendor non-responsive to initial disclosure.
Use-after-free vulnerability in Open5GS NRF component (versions up to 2.7.7) allows authenticated remote attackers to trigger denial of service via the discover_handler function in nghttp2-server.c. Publicly available exploit code exists (GitHub issue #4476), but vendor has not responded to early disclosure. EPSS data not available; CVSS 4.3 (Medium) reflects limited scope (DoS only, authenticated access required). Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC.
Remote authenticated denial of service in Open5GS versions up to 2.7.7 allows attackers to crash the AUSF (Authentication Server Function) component via crafted timer manipulation. The vulnerability resides in ogs_timer_add function within nausf-handler.c. Public exploit code exists via GitHub issue #4472, though vendor has not responded to disclosure. EPSS data unavailable; CVSS 4.0 scores only 2.1 due to low availability impact and authenticated requirement, but the existence of public exploit elevates practical risk for exposed 5G core deployments.
Denial of service in Open5GS NRF (Network Repository Function) allows authenticated remote attackers to crash the service by exhausting the nf_service resource pool. Open5GS versions up to 2.7.7 fail to validate pool allocation during NF service registration, triggering assertion failures that terminate the process. Publicly available exploit code exists (GitHub issue #4466). EPSS data not available, not listed in CISA KEV. Patch released via commit 819db11a08b9736a3576c4f99ceb28f7eb99523a, merged in PR #4534.
Denial of service vulnerability in Open5GS NRF client management (versions ≤2.7.7) allows authenticated remote attackers to crash the Network Repository Function service via malformed client pool arguments. Public exploit code exists (GitHub issue #4464), but vendor has not responded to disclosure. CVSS base score of 4.3 reflects low severity due to limited availability impact and authentication requirement. EPSS data not provided; KEV status not applicable for this unpatched issue.
Denial of service in Open5GS versions up to 2.7.6 allows authenticated remote attackers to crash the Network Repository Function (NRF) component via crafted nfInstanceId parameter manipulation in the ogs_sbi_nf_instance_set_id function. Publicly available exploit code exists (GitHub issue #4462), but vendor has not responded to early responsible disclosure. EPSS data not available, not listed in CISA KEV. CVSS 4.3 (Medium) reflects low impact (availability only) and authenticated attack vector.
Denial of service in Open5GS versions up to 2.7.7 allows authenticated remote attackers to crash the Network Repository Function (NRF) component by manipulating service-names or snssais parameters in SBI messages. A public proof-of-concept exploit exists via GitHub issue #4460, and the vendor has not responded to the early disclosure. EPSS data unavailable, but the low CVSS 4.3 score reflects limited impact (availability only, authenticated access required), reducing real-world urgency for most deployments.
Denial of service in Open5GS versions up to 2.7.7 allows authenticated remote attackers to crash the Network Repository Function (NRF) component via malformed target-plmn-list parameters. The vulnerability targets a parsing function in the Service-Based Interface (SBI) library and has publicly available exploit code (GitHub issue #4458). CVSS 4.3 reflects low severity, but the vendor has not responded to early disclosure attempts, leaving no confirmed patch timeline. EPSS and KEV data unavailable - exploitation likelihood beyond POC unknown.
The qs Node.js library (versions 6.11.1 through 6.15.1) crashes with a synchronous TypeError when stringify is called with both arrayFormat: 'comma' and encodeValuesOnly: true on arrays containing null or undefined elements. Applications using these non-default options together will experience request failures (typically 500 errors in web frameworks) when processing user input with null array values. The vulnerability was introduced in commit 4c4b23d (PR #463, January 2023) and patched in v6.15.2 (commit 21f80b3). No public exploit or CISA KEV listing identified at time of analysis, though exploitation requires only crafting JSON input with null array elements.
Sticky Notes Widget 3.0.6 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Sticky Notes & Color Widgets 1.4.2 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
My Notes Safe 5.3 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Macaron Notes 5.5 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Color Notes 1.4 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Internet Download Manager 6.38.12 contains a buffer overflow vulnerability in the Scheduler component that allows local attackers to crash the application by supplying oversized input. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Memory corruption in radare2 6.1.5's GDB client allows remote attackers to crash the application or potentially execute code through malformed thread information responses. The vulnerability triggers when the GDB remote protocol's qsThreadInfo command fails after qfThreadInfo has allocated memory, causing a use-after-free condition. While no public exploits have been identified, the CVSS 8.7 score reflects the potential for remote unauthenticated denial of service impact.
Denial of service vulnerability in coreMQTT versions before 5.0.1 allows remote MQTT brokers to crash client applications through malformed MQTT v5.0 property packets. The vulnerability stems from missing bounds validation in the property parser, enabling out-of-bounds read conditions (CWE-125). Amazon Web Services has issued a security bulletin and released version 5.0.1 to address this issue.
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote attackers can trigger memory corruption in radare2 6.1.5 through its GDB remote debugging interface, causing denial of service or potentially achieving code execution. The use-after-free vulnerability in gdbr_threads_list() occurs when processing a valid qfThreadInfo response followed by a malformed qsThreadInfo response, leading to improper memory management. VulnCheck reported this issue and vendor patch commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c addresses the vulnerability.
Remote denial-of-service vulnerability in Nimiq full nodes allows unauthenticated attackers to crash nodes by publishing malformed Kademlia DHT records with incorrect Ed25519 signature lengths. The vulnerability triggers a panic in the Ed25519 signature verification code when processing DHT records with signatures not exactly 64 bytes. Vendor-released patch: v1.4.0.
Memory exhaustion vulnerability in Nodemailer smtp-server before v3.18.3 enables remote denial of service attacks through unbounded command line processing. The vulnerability allows unauthenticated attackers to crash SMTP services by sending oversized commands that exhaust server memory. Public exploit code exists and the issue is rated as highly automatable by CISA SSVC framework, though not yet listed in CISA KEV.
Unauthenticated attackers can modify Smartcat API credentials in the Smartcat Translator for WPML plugin through a missing capability check on the 'routeData' REST endpoint, allowing hijacking of translation services or denial of service. All versions through 3.1.77 are affected. The vulnerability requires only network access and no user interaction, making it remotely exploitable by any unauthenticated actor against default WordPress configurations running the vulnerable plugin.
Improper isolation of GPU HW register space could allow a privileged attacker in malicious Guest Virtual Machine (VM) to perform unauthorized access to specific victim range of GPU MMIO register. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
DDR5 memory modules in multiple AMD Ryzen processor families contain an insecure default PMIC (Power Management Integrated Circuit) interface configuration that allows local users with standard privileges to cause permanent denial of service or corrupt memory module integrity via unprotected firmware access. The vulnerability affects Ryzen 4000, 7000, 7020, 7030, 7035, 7040, 7045 series processors and Threadripper Pro 3000 WX-series, requiring local system access but no special privileges or user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.
Buffer overflow in AMD Sensor Fusion Hub Driver allows local authenticated attackers to write out of bounds, causing denial of service or system crash. The vulnerability affects multiple Ryzen processor families (4000, 5000, 7000, 7020, 7030, 7035, 7040 series and Ryzen AI 300 series) with Radeon integrated graphics across Windows mobile and desktop platforms. No active exploitation has been confirmed at time of analysis.
Arbitrary code execution and denial of service in AMD Platform Management Framework (PMF) affects Ryzen 7035, 7040, 8040 mobile processors and Ryzen Embedded 8000 series. A local authenticated attacker exploiting an unchecked return value vulnerability can write to arbitrary memory locations, potentially escalating privileges from low to high integrity across system boundaries. The CVSS 4.0 score of 7.1 reflects local attack vector with low complexity but requires specific attack timing conditions (AT:P), though the cross-scope impact (S:H) and high confidentiality/integrity impact to subsequent systems elevate real-world risk for enterprise environments with AMD mobile processors.
Buffer overflow in the AMD Secure Processor (ASP) PCI driver affects dozens of AMD Ryzen, EPYC, and Threadripper processor families across desktop, mobile, and embedded variants. Local attackers with user-level privileges can trigger improper input validation in the driver to cause a crash or denial of service, with potential for integrity impact. The vulnerability requires local access and authenticated user privileges; no active exploitation in the wild has been confirmed, and vendor-released patches are available.
Use-After-Free vulnerability in the AMD Secure Processor (ASP) PCI driver affects multiple Ryzen, Threadripper, EPYC, and Athlon processor families due to improper input validation. A local attacker with user-level privileges can trigger the UAF condition, resulting in denial of service via platform crash or potential loss of platform integrity. Vendor-released patch: AMD Ryzen Chipset Driver 7.02.13.148 (or equivalent Catalyst driver versions for embedded SKUs). No public exploit identified at time of analysis.
Stack exhaustion in MongoDB PHP driver allows remote denial of service when processing deeply nested BSON documents from untrusted sources. Unauthenticated attackers can crash applications by sending maliciously crafted BSON payloads with excessive nesting levels, affecting all versions of the PHP driver that parse BSON without depth limits. The vulnerability requires high attack complexity but results in complete availability loss.
Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forgot password flow allows an unauthenticated attacker to repeatedly trigger password reset emails for a known account without server-side throttling. In self-hosted deployments, this can be abused to send large volumes of unwanted email and consume downstream email delivery resources. This vulnerability is fixed in 1.180.10.
Regular expression denial of service (ReDoS) in Svelte 5.51.5 through 5.55.6 allows attackers to cause application hang or crash by passing unconstrained-length tag names to the `<svelte:element>` component, triggering exponential regex evaluation time in the runtime tag validation logic. The vulnerability requires applications to accept user-controlled tag input without length or content restrictions.
Excessive memory allocation in devalue.parse (npm package) allows remote attackers to exhaust process memory via crafted sparse array payloads. Affects versions 5.6.3 through 5.8.0. Exploits JavaScript engine behavior where declaring large array lengths triggers eager memory allocation in V8, enabling denial-of-service with minimal payload size. Vendor-released patch 5.8.1 forces sparse allocation by touching MAX_ARRAY_INDEX before setting length. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists in security advisory test cases.
Cross-Site Request Forgery via image URL manipulation in Open WebUI allows authenticated users to perform unauthorized actions on behalf of victims by embedding malicious image URLs in profile pictures, model images, shared chats, and notes. When any user (including admins) views these compromised images, their browser sends GET requests to attacker-controlled servers, enabling cookie theft, denial of service, or execution of sensitive operations. Publicly available proof-of-concept code demonstrates exploitation across multiple attack vectors. The vulnerability affects all versions up to and including v0.9.2, with a vendor-released patch available in v0.9.3.
libsixel versions prior to 1.8.7-r2 crash on memory allocation failure in sixel_decode_raw and sixel_decode functions due to incorrect NULL pointer validation, allowing local attackers to trigger denial of service under low-memory conditions. The vulnerability affects any application using libsixel's public decoding APIs when system memory pressure causes malloc to fail.
Use after free in Extensions in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Use after free in Google Lens in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform a denial of service via a crafted HTML page. (Chromium security severity: High)
Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Network in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Tab Groups in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
Use after free in Blink in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)
Use after free in HID in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Aura in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Input in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in FileSystem in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Heap buffer overflow in OpenImageIO 3.0.x (before 3.0.18.0) and 3.1.x (before 3.1.13.0) allows remote attackers to achieve denial of service or potentially arbitrary code execution via crafted DPX image files. The vulnerability stems from signed integer overflow in buffer size calculations within the DPX color converter, causing undersized heap allocations. Attack requires victim to open a malicious DPX file (user interaction required per CVSS UI:R). No public exploit code or active exploitation confirmed at time of analysis, though the technical details in the GitHub advisory provide sufficient detail for proof-of-concept development.
Integer division by zero in GStreamer gst-plugins-good before version 1.28.2 allows local attackers to cause denial of service by supplying a maliciously crafted MP4 file with invalid atom data in audio tracks, triggering a crash in the qtdemux_audio_caps parser function without requiring user interaction or elevated privileges.
Integer division by zero in GStreamer gst-plugins-good before version 1.28.2 allows local attackers to cause denial of service by crafting malicious MP4 audio files. The isomp4 plugin's qtdemux_parse_trak function fails to validate atom data before performing division operations, causing application crash when parsing specially crafted audio tracks. No authentication required; exploitation requires only local file access and media playback.
Unbounded memory allocation and CPU exhaustion in OpenTelemetry Java SDK's baggage propagation allows remote unauthenticated attackers to degrade or deny service by sending oversized baggage headers. Affected components - W3CBaggagePropagator, JaegerPropagator, and OtTracePropagator - all lacked enforcement of the W3C Baggage specification's recommended size and entry limits, causing character-by-character parsing of arbitrarily large inputs. A distinctive amplification risk exists: baggage is automatically re-injected into all outgoing requests, meaning a single malicious inbound payload can fan out DoS effects to downstream services that never directly received the original request. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Matrix Synapse homeserver versions prior to 1.152.1 allow authenticated local users to trigger CPU starvation that denies service to other users by exploiting unbounded lock timeout intervals in the WorkerLock implementation. Synapse deployments that do not trust all local users face service availability risk from malicious authenticated accounts. Vendor-released patch available in version 1.152.1 (GitHub commit 3f58bc50dfba5768ee43ce48c5e74c25ba0b078a confirms fix). No public exploit identified at time of analysis, though the attack mechanism is straightforward for any authenticated user.
Infinite recursion in Vvveb admin controller exhausts PHP memory through repeated permission checks when low-privilege users access forbidden admin URLs. Sustained requests deplete worker memory causing site-wide denial of service. Fixed in version 1.0.8.3 via commit c766e84b which removes Base class inheritance from Error403 controller to break the dispatch cycle. No evidence of active exploitation but trivial to reproduce with authenticated low-privilege account.
Fleet server crashes from a single malformed gRPC request to the PublishLogs endpoint, allowing complete denial of service. An attacker with any enrolled Launcher node key can terminate the Fleet server process instantly via a crafted gRPC call. CVSS 8.7 (High) reflects the ease and impact, though exploitation requires prior enrollment of a Launcher host. Vendor-released patch version 4.81.0 available. No public exploit identified at time of analysis, but attack requires minimal sophistication given authenticated access.
Denial of service in PostgreSQL allows remote unauthenticated attackers to crash the database server via recursive SSL/GSS negotiation when connecting to AF_UNIX or TCP sockets (if SSL and GSS are both disabled). Affects all PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. No active exploitation confirmed (not in CISA KEV). Vendor-released patches available across all supported major versions. EPSS data not available, but CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates high availability impact with low barrier to exploitation.
Memory exhaustion in Elixir Plug 1.4.0 through 1.19.1 allows remote unauthenticated attackers to crash BEAM VM processes via unbounded buffer accumulation during multipart/form-data header parsing. The vulnerability mirrors CVE-2026-8466 in Cowboy: read_part_headers/2 recursively accumulates incoming bytes without size limits when parsing malformed multipart requests that never deliver complete header sections. Vendor-released patches available for all affected branches. No public exploit identified at time of analysis, but exploitation requires only basic HTTP client tools.
GitLab CE and EE are vulnerable to authenticated denial of service through excessive memory consumption, affecting all installations from version 8.3 up to the patched releases. An authenticated user with minimal privileges can submit maliciously crafted input that bypasses proper validation, causing the server to allocate memory without adequate bounds until service degradation or outage occurs. EPSS is low at 0.06% (18th percentile), no active exploitation is confirmed (CISA KEV absent, SSVC exploitation status: none), and a vendor patch was released on May 13, 2026.
Denial of service in GitLab CE/EE allows unauthenticated remote attackers to disrupt service availability by sending specially crafted requests that exploit insufficient input validation. Affected versions span 9.0 through 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 across both Community and Enterprise editions, with no public exploit identified at time of analysis and a low EPSS score (0.04%) indicating limited near-term exploitation likelihood despite the network-reachable attack surface.
Denial-of-service in GitLab Enterprise Edition allows a crafted file upload to exhaust service availability through improper deserialization validation. The vulnerability spans an exceptionally wide range, affecting all GitLab EE instances from version 11.9 through the 18.11 line until patched releases. There is no public exploit identified at time of analysis and EPSS sits at 0.02% (4th percentile), indicating low observed exploitation pressure, though the breadth of the affected version range means unpatched installations represent a meaningful attack surface for availability disruption.
Denial of service in GitLab Community and Enterprise Editions (versions 18.5 through 18.11.2) allows remote unauthenticated attackers to exhaust resources by submitting specially crafted JSON payloads that bypass input validation. The flaw is network-reachable with low complexity and no authentication required, but only impacts availability (CVSS 7.5, A:H). No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04% (11th percentile), though CISA SSVC flags the issue as automatable.
Denial of service in GitLab Community and Enterprise Edition versions 18.5 through 18.11.2 allows unauthenticated remote attackers to disrupt service availability by sending specially crafted payloads to certain API endpoints. The flaw maps to CWE-1284 (improper validation of specified quantity in input) and has been patched in 18.9.7, 18.10.6, and 18.11.3. No public exploit identified at time of analysis and EPSS probability is very low (0.03%, 9th percentile), but the SSVC framework flags the attack as automatable with partial technical impact.
Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to exhaust conductor resources by supplying file:///dev/zero as an image URL, triggering unbounded checksum calculations that never terminate. All Ironic versions from 0 through 35.x prior to commit a3f6d73 are affected. No public exploit independently confirmed but SSVC data indicates proof-of-concept exists; EPSS sits at 0.01% (2nd percentile), consistent with low widespread exploitation likelihood despite the poc signal.
{ isRaw: true }]` tuple, which is passed directly into Knex's `db.connection.raw()` without sanitization. Affected versions are @strapi/content-type-builder <=5.33.1 (v5) and @strapi/plugin-content-type-builder <=4.26.0 (v4), with impact ranging from arbitrary file read and denial of service to remote code execution on database engines that permit external program execution. No public exploit identified at time of analysis; EPSS is low at 0.13% and CISA SSVC notes exploitation status of 'none', though vendor-confirmed remediation is available.
Uncontrolled resource consumption in Grafana OSS allows authenticated low-privilege users to trigger an out-of-memory (OOM) crash by exploiting the $__timeGroup macro against a configured SQL datasource. The attack is slow by nature - requiring upwards of 30 minutes to exhaust server memory - and affects Grafana OSS versions spanning from 8.0.0 through 13.0.1. Grafana reported this vulnerability directly, a vendor patch is available across all affected release branches, and no public exploit code or active exploitation has been identified at time of analysis.
Unbounded memory allocation in Grafana OSS's plugin resources endpoint allows any authenticated low-privileged user to trigger an out-of-memory condition by sending a sufficiently large HTTP request body, resulting in denial of service against the Grafana instance. Affected versions span a wide range from 6.7.0 through 13.0.1, with vendor-released security patches available across all supported branches. No public exploit exists and CISA has not added this to the KEV catalog; the EPSS score of 0.04% (12th percentile) reflects very low observed exploitation probability.