Total
1612 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14822 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-01-20 | 3.1 Low |
| Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens | ||||
| CVE-2025-14435 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-01-20 | 6.8 Medium |
| Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops. | ||||
| CVE-2026-23490 | 1 Pyasn1 | 1 Pyasn1 | 2026-01-19 | 7.5 High |
| pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2. | ||||
| CVE-2021-47793 | 2 Telegram, Telegram Desktop | 3 Telegram, Telegram Desktop, Telegram Desktop | 2026-01-16 | 7.5 High |
| Telegram Desktop 2.9.2 contains a denial of service vulnerability that allows attackers to crash the application by sending an oversized message payload. Attackers can generate a 9 million byte buffer and paste it into the messaging interface to trigger an application crash. | ||||
| CVE-2021-47791 | 1 Smartftp | 1 Smartftp | 2026-01-16 | 7.5 High |
| SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities that allow attackers to crash the application through specific input manipulation. Attackers can trigger crashes by entering malformed paths, using invalid IP addresses, or clearing connection history in the client's interface. | ||||
| CVE-2022-50695 | 1 Sound4 | 21 Big Voice2, Big Voice2 Firmware, Big Voice4 and 18 more | 2026-01-16 | 7.5 High |
| SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains a network vulnerability that allows unauthenticated attackers to send ICMP signals to arbitrary hosts through network command scripts. Attackers can abuse ping.php, traceroute.php, and dns.php to generate network flooding attacks targeting external hosts. | ||||
| CVE-2026-22025 | 1 Nasa | 1 Cryptolib | 2026-01-16 | 3.7 Low |
| CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, when the KMC server returns a non-200 HTTP status code, cryptography_encrypt() and cryptography_decrypt() return immediately without freeing previously allocated buffers. Each failed request leaks approximately 467 bytes. Repeated failures (from a malicious server or network issues) can gradually exhaust memory. This issue has been patched in version 1.4.3. | ||||
| CVE-2021-47784 | 1 Cyberfox | 1 Web Browser | 2026-01-16 | 7.5 High |
| Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash. | ||||
| CVE-2025-58754 | 1 Axios | 1 Axios | 2026-01-16 | 7.5 High |
| Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue. | ||||
| CVE-2025-65015 | 2 Authlib, Hsiaoming | 2 Joserfc, Joserfc | 2026-01-15 | 7.5 High |
| joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. In situations where a misconfigured — or entirely absent — production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it. This issue has been patched in versions 1.3.5 and 1.4.2. | ||||
| CVE-2025-13837 | 1 Python | 2 Cpython, Python | 2026-01-15 | 5.5 Medium |
| When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | ||||
| CVE-2025-69229 | 3 Aio-libs, Aio-libs Project, Aiohttp | 4 Aiohttp Session, Aiohttp, Aio-libs and 1 more | 2026-01-14 | 7.5 High |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3. | ||||
| CVE-2025-69228 | 3 Aio-libs, Aio-libs Project, Aiohttp | 4 Aiohttp Session, Aiohttp, Aio-libs and 1 more | 2026-01-14 | 7.5 High |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3. | ||||
| CVE-2025-12084 | 1 Python | 2 Cpython, Python | 2026-01-14 | 5.3 Medium |
| When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | ||||
| CVE-2025-69223 | 3 Aio-libs, Aio-libs Project, Aiohttp | 4 Aiohttp Session, Aiohttp, Aio-libs and 1 more | 2026-01-14 | 7.5 High |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3. | ||||
| CVE-2025-46687 | 3 Bellard, Quickjs-ng, Quickjs Project | 3 Quickjs, Quickjs, Quickjs | 2026-01-14 | 5.6 Medium |
| quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected. | ||||
| CVE-2024-51428 | 2 Espressif, Expressif | 2 Esp-idf, Esp Idf | 2026-01-14 | 7.5 High |
| An issue in Espressif Esp idf v5.3.0 allows attackers to cause a Denial of Service (DoS) via a crafted data channel packet. | ||||
| CVE-2024-46668 | 1 Fortinet | 1 Fortios | 2026-01-14 | 7.1 High |
| An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiOS versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, versions 7.0.0 through 7.0.15, and versions 6.4.0 through 6.4.15 may allow an unauthenticated remote user to consume all system memory via multiple large file uploads. | ||||
| CVE-2025-9784 | 1 Redhat | 15 Apache Camel Hawtio, Apache Camel Spring Boot, Build Of Apache Camel For Spring Boot and 12 more | 2026-01-13 | 7.5 High |
| A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS). | ||||
| CVE-2026-22773 | 1 Vllm-project | 1 Vllm | 2026-01-13 | 6.5 Medium |
| vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0. | ||||