Denial of Service

OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that enables unauthenticated remote attackers to exhaust server memory by sending repeated HTTP requests with varying query string parameters. This affects OpenClaw versions prior to 2026.3.1. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and lack of authentication requirements, though no evidence of active exploitation (KEV) or public proof-of-concept has been identified at this time.

Rails ActiveSupport number helpers contain a denial of service vulnerability where strings with scientific notation (e.g., '1e10000') are improperly converted and expanded into extremely large decimal representations, causing excessive memory allocation and CPU consumption during string formatting. The vulnerability affects ActiveSupport across multiple Rails versions prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1. An attacker can exploit this by providing maliciously crafted scientific notation strings to trigger resource exhaustion and deny service to legitimate users.

A regular expression denial of service (ReDoS) vulnerability exists in Rails ActiveSupport's NumberToDelimitedConverter, which uses gsub! with an inefficient regex pattern to insert thousands delimiters into numeric strings. An attacker can craft excessively long digit strings that cause quadratic time complexity, leading to CPU exhaustion and denial of service. Patches are available from the Rails project for versions 7.2.3.1, 8.0.4.1, and 8.1.2.1, and the vulnerability is tagged as a denial of service issue affecting the activesupport gem.

A Cross-Site Scripting (XSS) vulnerability exists in Ruby on Rails' debug exceptions page due to improper HTML escaping of exception messages. This affects Rails applications running in development mode with detailed exception pages enabled (config.consider_all_requests_local = true, which is the default), allowing an attacker to inject arbitrary HTML and JavaScript that executes in the context of the debug page. While this primarily impacts development environments, applications with development configurations exposed to untrusted network access or those reusing development settings in production could face real exploitation risk.

The cbor2 Python library, which implements CBOR serialization, suffers from uncontrolled recursion when decoding deeply nested CBOR structures, allowing remote attackers to trigger Denial of Service by sending crafted payloads containing approximately 100,000 nested arrays. All versions prior to 5.9.0 are affected, including both the pure Python implementation and the C extension. Attackers can crash worker processes in web servers (Gunicorn, Uvicorn) and task queues (Celery) with small malicious packets under 100KB, causing complete service outages through repeated worker crashes.

A Denial-of-Service vulnerability exists in the httpd component of TP-Link TD-W8961N v4.0 routers, caused by improper input sanitization (CWE-20) that allows attackers to craft malicious requests triggering httpd service crashes. The vulnerability enables service interruption and network unavailability for affected users. Although no CVSS score or EPSS metric is publicly available, a vendor patch is already available, indicating acknowledgment of the issue's severity and exploitability.

Unauthenticated remote attackers can crash strongSwan versions 4.5.0 through 6.0.4 via integer underflow in the EAP-TTLS AVP parser during IKEv2 authentication by sending malformed AVP packets with invalid length fields. Public exploit code exists for this denial of service vulnerability, which triggers memory corruption in the charon daemon with no available patch. Organizations running affected strongSwan versions are vulnerable to service disruption without authentication or user interaction required.

cgltf versions 1.15 and earlier are vulnerable to integer overflow in sparse accessor validation that enables local attackers to craft malicious glTF/GLB files triggering heap buffer over-reads. Exploitation causes denial of service through application crashes and may leak sensitive memory contents. No patch is currently available for this high-severity vulnerability (CVSS 8.4).

The antchfx/xpath component in Debian is vulnerable to denial of service when processing specially crafted Boolean XPath expressions, which trigger an infinite loop in the logicalQuery.Select function consuming 100% CPU resources. Unauthenticated remote attackers can exploit this over the network without user interaction to disable affected systems. No patch is currently available.

Xenstored on Ubuntu and Debian crashes when a guest VM submits a Xenstore command with an illegal node path "/local/domain/", causing a denial of service to that hypervisor component. An unprivileged guest can trigger this crash via a forced assert() statement, or if the service is built without debugging symbols, cause xenstored to consume excessive CPU resources while becoming unresponsive to further requests. No patch is currently available for this vulnerability.

The jsrsasign JavaScript library contains an infinite loop vulnerability in the BigInteger.modInverse function that allows remote attackers to permanently hang application processes through specially crafted zero or negative input values. All versions of jsrsasign prior to 11.1.1 are affected by this high-severity denial-of-service condition. A proof-of-concept exploit exists demonstrating the vulnerability, and the CVSS score of 7.5 reflects the ease of exploitation (network-accessible, low complexity, no authentication required).

A NULL pointer dereference vulnerability exists in the safe_atou64 function within owntone-server (src/misc.c) that allows remote attackers to cause a Denial of Service by sending crafted HTTP requests to the affected server. The vulnerability affects owntone-server through at least commit c4d57aa, and a public proof-of-concept exploit is available on GitHub, indicating active research and potential exploitation risk.

A NULL pointer dereference vulnerability exists in the daap_reply_playlists function within owntone-server's DAAP request handler (src/httpd_daap.c) that allows remote attackers to trigger a denial of service condition by sending a specially crafted DAAP protocol request. The vulnerability affects owntone-server at commit 3d1652d and potentially earlier versions. An attacker can remotely crash the server without authentication by exploiting improper input validation in the playlist reply handler, resulting in service unavailability.

A regular expression denial-of-service (ReDoS) vulnerability exists in Pygments up to version 2.19.2, specifically in the AdlLexer component within pygments/lexers/archetype.py. An attacker with local access can craft malicious input that triggers inefficient regex pattern matching, causing high CPU consumption and service degradation. A public proof-of-concept exploit is available, though the vulnerability requires local access and low privileges to exploit, resulting in a CVSS score of 3.3 with Proof-of-Concept availability (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P).

Free5GC 4.1.0's AMF component is susceptible to a denial of service attack in the HandleRegistrationComplete function that can be exploited remotely without authentication. An attacker can manipulate the registration process to crash or disable the affected service. A patch is available and should be applied to restore normal operation.

OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consistently enforce configured inbound media byte limits across multiple channel ingestion paths. Remote unauthenticated attackers can exploit this by sending oversized media payloads to cause elevated memory consumption and process instability, leading to denial of service. The vulnerability has a CVSS score of 7.5 (High severity) with network-based attack vector and low complexity, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.

OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability that selectively bypasses safety checks for tar.bz2 skill archives while other formats enforce proper validation. An attacker can craft a malicious tar.bz2 skill archive that circumvents special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation when a user interacts with the installer. This is a local, user-interaction-dependent vulnerability with no authentication required, rated CVSS 5.5 (medium severity) with denial of service impact.

The LoginControl plugin for AVideo contains a critical cryptographic weakness in its PGP-based 2FA implementation, generating 512-bit RSA keys that can be factored on commodity hardware within hours using publicly available tools. Attackers who obtain a user's public key can derive the complete private key and decrypt authentication challenges, completely bypassing the second factor protection. A proof-of-concept demonstrating key factoring and challenge decryption is included in the advisory, and unauthenticated endpoints allow anonymous CPU-intensive key generation for denial-of-service attacks.

This is an authentication and authorization bypass vulnerability in etcd's gRPC API layer that allows unauthorized users to execute privileged operations when etcd auth is enabled. Affected are etcd versions prior to 3.4.42, 3.5.28, and 3.6.9 (specifically the Go packages go.etcd.io/etcd/v3 and go.etcd.io/etcd). Attackers can enumerate cluster topology via MemberList, trigger denial of service through Alarm APIs, manipulate Lease operations affecting TTL-based keys, and force compaction to permanently delete historical data. Standard Kubernetes deployments are not affected as they do not rely on etcd's built-in authentication. No EPSS score or KEV listing is currently available, and the vulnerability was responsibly disclosed by multiple security researchers.

AVideo platform contains an unauthenticated file upload vulnerability in the aVideoEncoderChunk.json.php endpoint that allows remote attackers to exhaust disk space and cause denial of service. Any unauthenticated attacker can upload arbitrarily large files to the server's /tmp directory with no size limits, rate limiting, or cleanup mechanism, and the CORS wildcard header enables browser-based distributed attacks. A detailed proof-of-concept is publicly available demonstrating parallel upload attacks that can fill disk space and crash server services.

An unbounded image decoding and resizing vulnerability in Vikunja's task attachment preview generation allows authenticated attackers to exhaust server CPU and memory by uploading highly compressed but extremely large-dimension images. The vulnerability affects Vikunja API versions with task attachments enabled, and a proof-of-concept script demonstrates that a 10,000×10,000 PNG (~284 KB on disk) can expand to ~100M pixels in memory during decode, causing significant latency and potential denial of service. Multiple concurrent preview requests across different attachments can degrade or crash the service, with a CVSS score of 7.5 indicating high availability impact.

A regex-based bypass vulnerability in the @dicebear/converter npm package allows attackers to circumvent SVG dimension sanitization by injecting decoy <svg tags in XML constructs. Applications using @dicebear/converter on Node.js to process untrusted SVG input are vulnerable to denial of service through unbounded memory allocation when rendering malformed SVGs. The CVSS score of 7.5 reflects the high availability impact with network-accessible attack vector requiring no authentication or user interaction.

libfuse versions 3.18.0 through 3.18.1 contain a use-after-free vulnerability in the io_uring subsystem that allows local attackers to crash FUSE filesystem processes or execute arbitrary code when thread creation fails under resource constraints. The flaw occurs when io_uring initialization fails (e.g., due to cgroup limits), leaving a dangling pointer in session state that is dereferenced during shutdown. Public exploit code exists for this vulnerability, and no patch is currently available.

libfuse versions 3.18.0 through 3.18.1 contain a NULL pointer dereference and memory leak vulnerability in the fuse_uring_init_queue function that affects only the io_uring transport implementation. A local user with low privileges can trigger this vulnerability to crash the FUSE daemon or exhaust system resources through repeated exploitation. A proof-of-concept has been confirmed with AddressSanitizer and LeakSanitizer, demonstrating both the NULL dereference condition and memory leak when numa_alloc_local or fuse_uring_register_queue fail.

A stack-based buffer overflow vulnerability exists in QNAP Media Streaming Add-On that allows remote attackers to corrupt memory or crash the affected process. All versions prior to 500.1.1 are vulnerable, and the attack requires no authentication or user interaction. While no CVSS score or EPSS data is currently available, the presence of a confirmed patch and the critical nature of buffer overflow vulnerabilities in media processing software suggests this warrants immediate patching.

Qwik, a performance-focused JavaScript framework, contains an array prototype pollution vulnerability in its FormData parsing logic that affects versions prior to 1.19.2. Attackers can submit specially crafted form field names using mixed array-index and object-property keys (e.g., items.0 alongside items.toString or items.length) to inject malicious properties into objects the application expects to be arrays, leading to denial of service through malformed array states, oversized lengths, or request handling failures. The vulnerability has a CVSS score of 7.5 (High severity) with network-based exploitation requiring no authentication or user interaction, and a patch is available in version 1.19.2.

FileRise, a self-hosted web file manager and WebDAV server, contains a missing-authentication vulnerability in the deleteShareLink endpoint that allows unauthenticated attackers to delete arbitrary file share links by providing only the share token, resulting in denial of service to legitimate users accessing shared files. All versions prior to 3.8.0 are affected. While the CVSS score is moderate at 3.7 due to high attack complexity, the vulnerability has a published proof-of-concept via the GitHub security advisory and represents a trivial attack surface requiring only knowledge of a share token.

A NULL pointer dereference vulnerability exists in the Linux kernel's TEQL (Trivial Ethernet Queue Limiting) network scheduler when transmitting through tunnel slave devices, particularly gretap tunnels. The vulnerability occurs because teql_master_xmit() fails to update skb->dev to the slave device before transmission, causing tunnel xmit functions to reference unallocated per-CPU statistics on the TEQL master device. This allows a local or networked attacker to trigger a kernel page fault and crash the system, resulting in a denial of service. No CVSS score, EPSS risk score, or KEV active exploitation status is currently published, but patch commits are available in Linux kernel stable branches (6.18.19, 6.19.9, and 7.0-rc4).

A stack overflow vulnerability exists in the Linux kernel's tunnel transmission functions (iptunnel_xmit and ip6tunnel_xmit) due to missing recursion limits when GRE tap interfaces operate as slaves in bonded devices with broadcast mode enabled. This allows local attackers or legitimate multicast/broadcast traffic to trigger infinite recursion between bond_xmit_broadcast() and tunnel transmission functions, causing kernel stack exhaustion and denial of service. The vulnerability affects multiple Linux kernel versions and has been resolved with the addition of IP_TUNNEL_RECURSION_LIMIT (4) to prevent excessive stack consumption during nested tunnel packet encapsulation.

The Micronaut Framework contains an infinite loop vulnerability in its form-urlencoded body binding mechanism that occurs when array indices are processed in descending order, allowing remote attackers to trigger denial of service through CPU exhaustion and out-of-memory conditions. Versions prior to 4.10.16 and 3.10.5 are affected, with the vulnerability exploitable by sending crafted indexed form parameters without authentication. No public exploit code has been confirmed, but the issue is straightforward to trigger and has been patched in the referenced versions.

AutoMapper, a widely-used convention-based object-object mapper for .NET applications, contains a stack exhaustion vulnerability that allows remote attackers to crash applications via deeply nested object graphs. Versions prior to 15.1.1 and 16.1.1 are affected. An unauthenticated attacker can trigger a StackOverflowException by sending specially crafted nested objects, causing immediate application termination with high availability impact (CVSS 7.5).

A non-terminating loop denial-of-service vulnerability exists in tinytag version 2.2.0, a Python library for reading audio file metadata. An attacker can supply a malicious MP3 file containing a crafted ID3v2 SYLT (synchronized lyrics) frame that causes the parsing operation to enter an infinite loop, consuming CPU resources until the worker process is terminated. The vulnerability affects server-side deployments that automatically parse user-supplied files, and has been patched in version 2.2.1.

Heap memory corruption in Google Chrome prior to version 146.0.7680.153 can be triggered through malicious browser extensions, affecting Chrome users on Google, Ubuntu, and Debian systems. An attacker must convince a user to install a compromised extension to exploit this use-after-free vulnerability and potentially achieve code execution. A patch is available.

A use-after-free vulnerability in Google Chrome's Digital Credentials API prior to version 146.0.7680.153 enables attackers with a compromised renderer process to escape the sandbox and potentially achieve code execution through a specially crafted HTML page. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems, requiring user interaction to trigger but presenting high impact across confidentiality, integrity, and availability. A patch is available in Chrome 146.0.7680.153 and later versions.

Heap memory corruption in Google Chrome versions prior to 146.0.7680.153 can be triggered through a use-after-free vulnerability in the Network component when a user visits a malicious HTML page. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high integrity and confidentiality impact. A patch is available for Chrome, Ubuntu, and Debian users.

Heap memory corruption in Google Chrome's Blink rendering engine prior to version 146.0.7680.153 can be triggered through a malicious HTML page, potentially enabling remote code execution. An unauthenticated attacker requires only user interaction to exploit this use-after-free vulnerability across network boundaries. A patch is available for affected Chrome, Ubuntu, and Debian users.

Heap corruption via use-after-free in Google Chrome's WebRTC implementation (versions prior to 146.0.7680.153) enables remote attackers to achieve arbitrary code execution through malicious HTML pages, requiring only user interaction. The vulnerability affects Chrome, Ubuntu, and Debian systems with a CVSS score of 8.8, though a patch is available.

Heap memory corruption in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to execute arbitrary code by tricking users into visiting malicious websites. The use-after-free vulnerability requires only user interaction and affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available to address this high-severity flaw.

Heap corruption in Google Chrome versions before 146.0.7680.153 results from a use-after-free vulnerability in the Base component, enabling remote attackers to execute arbitrary code through malicious HTML pages. The attack requires user interaction but no authentication, affecting Chrome on multiple platforms including Linux distributions. A patch is available to remediate this critical-severity vulnerability.

The ewe Gleam web server contains an infinite loop vulnerability in the handle_trailers function that permanently wedges the BEAM process at 100% CPU when processing rejected trailer headers in chunked HTTP requests. Versions 0.8.0 through 3.0.4 are affected, and any unauthenticated remote attacker can exploit this before application code executes, making mitigation at the application level impossible. The vulnerability is patched in version 3.0.5, and while no active exploitation (KEV) or EPSS score is reported, the low attack complexity and network accessibility make this a readily exploitable denial-of-service condition.

Bitcoin Core versions through 29.0 contain a denial of service vulnerability that can be triggered by a specially crafted transaction. An attacker with network access can send a malicious transaction to cause the affected Bitcoin Core node to become unresponsive or crash, disrupting normal operation of the node. No CVSS score, EPSS data, or active exploitation in the wild has been disclosed, but the vulnerability has been formally disclosed by the Bitcoin Core project.

The RSS Feed Dashlet in SuiteCRM versions before 7.15.1 and 8.9.3 is vulnerable to a server-side request forgery (SSRF) attack that can be exploited to trigger denial of service conditions. An unauthenticated remote attacker can leverage this vulnerability to disrupt service availability without requiring user interaction. No patch is currently available for this high-severity vulnerability affecting enterprise CRM deployments.

OpenClaw webhook handlers for BlueBubbles and Google Chat prior to version 2026.3.2 fail to validate authentication before parsing request bodies, allowing unauthenticated remote attackers to trigger denial of service by sending maliciously crafted or oversized payloads. Successful exploitation exhausts parser resources and degrades service availability, with no patch currently available. The vulnerability affects all Google products using the vulnerable OpenClaw versions.

Denial of service in Nginx via out-of-bounds read during ALPN protocol parsing when ALPN support is enabled, allowing unauthenticated remote attackers to crash the process by sending a crafted ALPN list. This vulnerability affects Nginx and other third-party applications that have compiled wolfSSL 5.8.4 or earlier with ALPN enabled. A patch is available to address this incomplete validation flaw.

The fast-xml-parser library contains a logic error in DocTypeReader.js where JavaScript's falsy evaluation of the number 0 causes entity size and count limits to be completely bypassed when explicitly configured to 0. An attacker who can supply crafted XML input to an application using fast-xml-parser with these limits set to 0 can trigger unbounded entity expansion, exhausting server memory and causing denial of service. A proof-of-concept exists demonstrating the vulnerability, and the CVSS score of 5.9 reflects medium severity with high attack complexity, though the real-world impact is significant for applications that explicitly configure these restrictive limits.

NiceGUI's media file serving functions fail to validate user-supplied query parameters used in range-response handling, allowing attackers to bypass streaming protections and force servers to load entire files into memory simultaneously. Applications using app.add_media_file() or app.add_media_files() to serve large media content are vulnerable to denial of service through memory exhaustion and performance degradation when handling concurrent malicious requests. No patch is currently available.

A Host Header Spoofing vulnerability in the @local_check decorator of pyload-ng allows unauthenticated external attackers to bypass local-only IP address restrictions on the Click'N'Load API endpoints by sending a crafted HTTP Host header. This authentication bypass enables remote attackers to queue arbitrary downloads on the affected pyload instance, leading to Server-Side Request Forgery (SSRF) attacks against internal or external systems and Denial of Service through resource exhaustion. A proof-of-concept exploit exists in the form of a simple curl command that demonstrates immediate exploitability without user interaction.

Ella Core contains a null pointer dereference vulnerability (CWE-476) that causes the process to panic when processing malformed UL NAS Transport NAS messages that lack a Request Type field, particularly when no SM Context is present. An attacker with network access and minimal privileges can send crafted NAS messages to trigger this crash, resulting in complete denial of service for all connected subscribers without requiring authentication. The CVSS 6.5 score reflects the high availability impact, though the requirement for low privileges (PR:L) and network-only access (AV:N) constrains the overall severity.

Ella Core is vulnerable to a denial of service attack via a null pointer dereference when processing malformed NGAP LocationReport messages that omit the required UEPresenceInAreaOfInterestList field. An unauthenticated attacker with network access can crash the Ella Core process, disrupting service for all connected subscribers. No patch is currently available.

Ella Core contains an input validation flaw that causes the process to panic when receiving NGAP messages with PDU Session IDs outside the valid range of 1-15, enabling unauthenticated attackers to trigger denial of service affecting all connected subscribers. The vulnerability (CWE-129: Improper Validation of Array Index) carries a CVSS score of 6.5 with network-level attack vector and low complexity, though it requires low privilege context according to the vector string. No active exploitation in the wild has been confirmed, but the straightforward nature of crafting malformed NGAP messages means proof-of-concept development is feasible.

Prototype pollution in flatted's parse() function allows unauthenticated remote attackers to corrupt Array.prototype by injecting malicious JSON with "__proto__" keys, enabling global object manipulation and potential code execution in dependent applications. The vulnerability stems from insufficient validation of array index keys, allowing attacker-controlled strings to access inherited prototype properties. With no patch available and a critical CVSS score of 9.8, this affects any system using the flatted library for JSON deserialization.

Metricbeat's Prometheus remote_write HTTP handler is vulnerable to denial of service through excessive memory allocation when processing specially crafted requests from authenticated network-adjacent attackers. An attacker with local privileges can trigger unbounded memory allocation to exhaust system resources and crash the service. No patch is currently available for this vulnerability.

A Denial of Service vulnerability exists in Kibana's Timelion visualization plugin that allows authenticated users to trigger excessive memory allocation through improper validation of specially crafted Timelion expressions. An attacker with valid Kibana credentials can overwrite internal series data properties with excessively large quantity values, causing the application to exhaust system resources and become unavailable. This is a network-accessible vulnerability requiring low privileges with a CVSS score of 6.5 and documented as a confirmed denial-of-service attack vector affecting multiple active Kibana versions.

Arbitrary file deletion in PHP CloneSite plugin allows authenticated attackers to bypass path validation and remove critical files via path traversal in the deleteDump parameter, causing denial of service or facilitating privilege escalation attacks. An attacker with valid clone credentials can leverage unvalidated input passed directly to unlink() to delete arbitrary files including configuration.php and other security-critical application files. No patch is currently available for this vulnerability.

Packetbeat contains an improper array index validation vulnerability (CWE-129) in its protocol parser components that allows attackers to trigger out-of-bounds read operations through specially crafted network packets. Affected versions include Packetbeat 8.0.0 through 8.19.10 and 9.0.0 through 9.2.4, with the vulnerability requiring network-level access or traffic control to the monitored interface. An attacker exploiting this flaw can cause denial of service through application crashes or resource exhaustion; while the CVSS score of 5.7 indicates moderate severity and there is no indication of widespread active exploitation in public KEV databases, the patch availability through Elastic's security update (ESA-2026-11) released in version 8.19.11 and 9.2.5 suggests this is a confirmed and prioritized vulnerability worthy of timely remediation.

PostgreSQL client applications using the pgproto3 Go library (github.com/jackc/pgproto3/v2) can be crashed remotely by malicious or compromised PostgreSQL servers sending specially crafted DataRow messages with negative field lengths, triggering slice bounds panics that result in denial of service. The vulnerability requires no authentication and has low attack complexity (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), though the EPSS score of 0.07% (20th percentile) suggests minimal observed exploitation activity. Multiple detailed technical advisories exist including analysis from Security Infinity, and the issue is tracked in GitHub issue #2507 for the pgx project.

Libarchive fails to properly validate the pz_log2_bs field in ISO9660 Rock Ridge extensions during zisofs decompression, allowing remote attackers to supply a crafted ISO file that triggers undefined behavior and causes denial-of-service through incorrect memory allocation and application crashes. The vulnerability requires user interaction (ISO file opening) but no authentication, affects libarchive across multiple distributions, and carries a moderate EPSS score (0.11%, 30th percentile) suggesting low current exploitation probability despite the moderate CVSS severity.

libsoup versions prior to the patched release contain an integer underflow vulnerability in zero-length resource processing that enables unauthenticated remote attackers to read adjacent memory or trigger denial of service. The vulnerability stems from improper bounds checking during content handling, affecting any application using the vulnerable libsoup library for HTTP operations. No public exploit code has been identified, and the low EPSS score (0.04%, percentile 11%) indicates exploitation is unlikely in practice despite the moderate CVSS score of 6.5.

BMC FootPrints ITSM contains a blind server-side request forgery (SSRF) vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Affected versions range from 20.20.02 through 20.24.01.001, and attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The vulnerability carries a CVSS score of 4.3 with low complexity and low attack vector, requiring only authentication; no active exploitation in the wild has been confirmed, but the disclosure references suggest potential chaining with pre-authentication RCE vectors documented by security researchers.

The dasel YAML reader contains an unbounded alias expansion vulnerability (CWE-674) that allows attackers to trigger extreme CPU and memory consumption through specially crafted YAML documents. Affected versions include dasel v3.0.0 through v3.3.1 and the current default branch. An attacker who can supply YAML input-via CLI, file processing, or library usage-can cause denial of service with a malicious 342-byte payload that fails to complete within 5 seconds and exhibits unbounded resource growth, as demonstrated by the provided proof-of-concept.

A format string injection vulnerability exists in the Ruby JSON gem that can lead to denial of service attacks or information disclosure when parsing user-supplied documents with the non-default 'allow_duplicate_key: false' parsing option enabled. The vulnerability affects users of the pkg:rubygems/json package who have explicitly opted into using this specific parsing configuration. There is no evidence of active exploitation (not listed in CISA KEV), and no EPSS score is currently available for risk quantification.

Salvo web framework's form data parsing functions fail to enforce payload size limits before loading request bodies into memory, allowing attackers to trigger Out-of-Memory crashes by sending extremely large form payloads. This affects the Rust package salvo (pkg:rust/salvo) through multiple attack vectors including URL-encoded and multipart form data handling. A proof-of-concept demonstrates successful denial-of-service against containerized deployments with limited memory, and the vulnerability is publicly documented in GitHub security advisories GHSA-pp9r-xg4c-8j4x.

The NLTK (Natural Language Toolkit) WordNet Browser HTTP server contains an unauthenticated shutdown vulnerability that allows any remote attacker to terminate the service with a single GET request to the '/SHUTDOWN THE SERVER' endpoint. This affects users running nltk.app.wordnet_app in its default mode, where the server binds to all network interfaces without authentication. A proof-of-concept exploit is publicly available demonstrating the denial-of-service attack, though EPSS and KEV data are not yet available for this recent CVE.

OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that allows unauthenticated remote attackers to exhaust system memory through query string manipulation. OpenClaw versions prior to 2026.3.1 are affected. Attackers can send repeated HTTP requests with varying query parameters to trigger in-memory key accumulation, leading to memory pressure, process instability, or complete denial of service through out-of-memory conditions.

Stack-based buffer overflow in PX4 autopilot versions 1.17.0-rc2 and below allows attackers with MAVLink link access to crash the flight controller by exploiting an unconstrained sscanf operation in the MavlinkLogHandler. An attacker can trigger this by creating deeply nested directories via MAVLink FTP and then requesting the log list, causing the MAVLink task to crash and resulting in loss of telemetry and command capability. This denial of service affects drone and unmanned vehicle systems relying on vulnerable PX4 versions.

A security vulnerability in Microsoft .NET 8.0 (CVSS 7.5) that allows a remote attacker. High severity vulnerability requiring prompt remediation.

An out-of-bounds array write vulnerability exists in Xpdf versions 4.06 and earlier, stemming from improper validation of the 'N' field in ICCBased color spaces within PDF documents. This buffer overflow vulnerability affects all versions of Xpdf up to and including 4.06, potentially allowing attackers to achieve arbitrary code execution or denial of service by crafting malicious PDF files with specially crafted color space definitions. No CVSS score or EPSS data is currently available, and active exploitation status is not confirmed in public sources.

SAMtools versions 1.17 and later contain a null pointer dereference vulnerability in the cram-size command due to missing error handling for the cram_decode_compression_header() function. When this function fails and returns an error, the code does not properly validate the return value before dereferencing the pointer, allowing an attacker to crash the application by providing a malformed CRAM file. This is a denial-of-service vulnerability with no active exploitation reported in the wild, though patches are available in versions 1.23.1, 1.22.2, and 1.21.1.

SAMtools mpileup command contains a use-after-free vulnerability in reference data management that can leak sensitive program state information or trigger application crashes when processing aligned DNA sequences. The vulnerability affects versions prior to 1.2 and requires no authentication or user interaction to exploit, though a patch is not yet available. An attacker could leverage this to obtain information disclosure or cause denial of service against systems processing bioinformatics data with vulnerable SAMtools versions.

The SimpleJWT PHP library version 1.1.0 contains an algorithmic complexity denial-of-service vulnerability in its PBES2 password-based encryption implementation. An unauthenticated attacker can send a crafted JWE token with an extremely large p2c (PBKDF2 iteration count) parameter in the header, forcing the server to perform hundreds of billions of iterations during key derivation and causing CPU exhaustion. A working proof-of-concept exploit is publicly available demonstrating how a single malicious request can block PHP workers until execution timeouts are reached.

Null byte injection in the UDM's Nudm_SubscriberDataManagement API allows unauthenticated remote attackers to crash the service by embedding URL-encoded %00 characters in the supi parameter, triggering unhandled parsing errors and denial of service. The vulnerability stems from improper input validation that permits control characters to reach Go's URL parser, which rejects them with a 500 error instead of sanitizing the input upstream. A patch is available.

The SiYuan kernel, a Go-based note-taking application, contains an authentication bypass vulnerability in its WebSocket server that allows unauthenticated attackers to crash the kernel process through malformed JSON messages. SiYuan kernel versions exposed via Docker or network-accessible deployments are affected, with the issue stemming from unsafe type assertions on attacker-controlled input after bypassing authentication via a specific query parameter pattern. A proof-of-concept demonstrating the attack exists in the GitHub advisory, and while CVSS rates this as 7.5 High severity for availability impact, real-world exploitation risk depends heavily on network exposure beyond localhost.

Memory exhaustion in Python's pickle deserialization allows attackers to crash applications by supplying a small malicious payload that forces allocation of gigabytes of memory through unrestricted constructor arguments in whitelisted classes. Applications using `_RestrictedUnpickler` to load untrusted pickle data are vulnerable to denial of service attacks. A patch is available.

A NULL pointer dereference vulnerability in free5GC v4.0.1's UDM (Unified Data Management) service allows remote attackers to crash the service via a crafted POST request to the /sdm-subscriptions endpoint containing path traversal sequences and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go fails to validate pointers before dereferencing, causing complete service disruption requiring manual restart. All deployments of free5GC v4.0.1 utilizing UDM HTTP callback functionality are affected, and a patch is available via PR free5gc/udm#78.

The free5GC AUSF authentication service is vulnerable to denial of service through an improper null check in the GetSupiFromSuciSupiMap function, which crashes when processing crafted UE authentication requests that trigger unsafe interface conversion. Remote attackers can exploit this vulnerability to completely disable the AUSF service by sending a specially crafted authentication request containing a nil SuciSupiMap value. A patch is available for affected free5GC v4.0.1 deployments.

NRF discovery service denial of service in free5GC v4.0.1 allows remote attackers to crash the service by sending HTTP GET requests with malformed group-id-list parameters that trigger unvalidated array access. The EncodeGroupId function fails to check split data length before accessing specific indices, causing an index out of range panic. A patch is available to address this input validation flaw affecting all deployments using the vulnerable NRF service.

A path traversal vulnerability in A Path Traversal vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.

HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buffer overflow vulnerability in its CRAM format decoder. The vulnerability exists in the `cram_byte_array_len_decode()` function which fails to validate that unpacked data matches the output buffer size, affecting HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1. An attacker can craft a malicious CRAM file that, when opened by a user, triggers either a heap or stack overflow with attacker-controlled bytes, potentially leading to arbitrary code execution, program crash, or memory corruption.

The Rust libp2p Gossipsub implementation contains an integer overflow vulnerability that allows remote unauthenticated attackers to crash affected nodes by sending a single crafted PRUNE control message with an extremely large backoff value (e.g., u64::MAX). The vulnerability affects the libp2p-gossipsub Rust crate and enables trivial denial of service against any application exposing a Gossipsub listener. This vulnerability was discovered through responsible disclosure to the Ethereum Foundation bug bounty program by @revofusion, and while no active exploitation (KEV) status is indicated, the attack complexity is extremely low and a detailed proof-of-concept attack scenario has been publicly disclosed in the advisory.

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loading function `bgzf_index_load_hfile()`. An integer overflow during buffer allocation allows attackers to craft malicious `.gzi` files that trigger heap memory corruption, potentially leading to denial of service, data corruption, or remote code execution when a user opens the compromised file. No evidence of active exploitation in the wild has been reported, but the vulnerability is demonstrable and patch availability is confirmed.

Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments.

HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_stop_decode_char()` function that allows a single attacker-controlled byte to be written beyond the end of a heap allocation. This heap buffer overflow (CWE-122) affects bioinformatics applications using HTSlib to process CRAM-formatted DNA sequence alignment files, and could enable arbitrary code execution if exploited. No public exploit code or KEV status is currently documented, but patch availability exists for multiple stable release branches.

HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handlers, where incomplete context validation allows writes of up to eight bytes beyond heap allocation boundaries or into stack-allocated single-byte variables. This vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and impacts any application using the library to process CRAM-formatted bioinformatics data files. An attacker can craft a malicious CRAM file to trigger heap or stack overflow conditions, potentially leading to denial of service, memory corruption, or arbitrary code execution when processed by a vulnerable application.

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain an out-of-bounds read vulnerability in the CRAM file parser where the mate reference ID field is not validated during decoding. An attacker can craft a malicious CRAM file that, when processed by affected applications (particularly those converting CRAM to SAM format), triggers out-of-bounds array access that may leak sensitive information about program state or cause a denial of service through memory access violations. No public exploit has been reported, but no workaround exists, making patching essential.

HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain a buffer over-read vulnerability in the CRAM decoder's cram_decode_seq() function that fails to properly validate feature data offsets. An attacker can craft malicious CRAM files to read arbitrary data from memory adjacent to reference sequence buffers, leading to information disclosure of program state or denial of service through memory access violations. No active exploitation has been documented, but patches are available from the vendor.

HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the reference ID field early enough during CRAM file parsing, allowing two separate out-of-bounds reads before error detection. The vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and can result in information disclosure through leaked memory values or application crashes when processing malicious or corrupted CRAM bioinformatics files. While the function reports an error after the reads occur, the window for exploitation exists and the practical impact depends on memory layout and application context.

HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference vulnerability in its CRAM format decoder affecting versions before 1.23.1, 1.22.2, and 1.21.1. The vulnerability exists in the CONST, XPACK, and XRLE encodings which fail to properly handle CRAM records with omitted sequence or quality data, causing attempts to write to NULL pointers when these records are decoded. An attacker can exploit this by providing a malformed CRAM file to any application using vulnerable HTSlib versions, resulting in denial of service through application crash, with no known active exploitation or public proof-of-concept at this time.

HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating feature boundaries. When a user opens a maliciously crafted CRAM file, an attacker can write one controlled byte beyond the end of a heap buffer, potentially causing application crashes, data corruption, or arbitrary code execution. Versions 1.23.1, 1.22.2, and 1.21.1 include fixes, and patches are available via the official GitHub repository.

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq() function when processing CRAM-formatted bioinformatics files with omitted sequence and quality data. An attacker can craft a malicious CRAM file that triggers an out-of-bounds read followed by an attacker-controlled single-byte write to heap memory, potentially enabling arbitrary code execution, data corruption, or denial of service when a user opens the file. No public exploit proof-of-concept has been identified, but the vulnerability is confirmed and patched by the HTSlib project.

nghttp2 before version 1.68.1 fails to properly validate internal state when session termination APIs are invoked, allowing an attacker to send a malformed frame that triggers an assertion failure and crashes the application. This denial of service vulnerability affects applications using the nghttp2 HTTP/2 library and can be triggered remotely without authentication or user interaction. No patch is currently available to remediate this issue.