CWE-248— Uncaught Exception
An exception is thrown from a function, but it is not caught.— MITRE CWE catalog
214 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-248page 4 of 5
- CVE-2025-53620CRITICALCVSS 9.2EG 9.22025-07-09
@builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then …
- CVE-2025-54134MEDIUMCVSS 6.5EG 6.52025-07-21
HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL paramete…
- CVE-2025-54777MEDIUMCVSS 4.3EG 4.32025-08-29
Uncaught exception issue exists in Multiple products in bizhub series. If a malformed file is imported as an S/MIME Email certificate, it may cause a denial-of-service issue that disable the Web Connection feature.
- CVE-2025-55194MEDIUMCVSS 5.7EG 5.72025-08-13
Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 …
- CVE-2025-55553HIGHCVSS 7.5EG 7.52025-09-25
A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).
- CVE-2025-55557HIGHCVSS 7.5EG 7.52025-09-25
A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS).
- CVE-2025-59014LOWCVSS 2.7EG 2.72025-09-09
An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface b…
- CVE-2025-59229MEDIUMCVSS 5.5EG 5.52025-10-14
Uncaught exception in Microsoft Office allows an unauthorized attacker to deny service locally.
- CVE-2025-59462MEDIUMCVSS 6.5EG 6.52025-10-27
An attacker who tampers with the C++ CLI client may crash the UpdateService during file transfers, disrupting updates and availability.
- CVE-2025-59465HIGHCVSS 7.5EG 7.52026-01-20
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote …
- CVE-2025-59466HIGHCVSS 7.5EG 5.92026-01-20
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates…
- CVE-2025-59538HIGHCVSS 7.5EG 7.52025-10-01
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not…
- CVE-2025-62370HIGHCVSS 7.5EG 7.52025-10-15
Alloy Core libraries at the root of the Rust Ethereum ecosystem. Prior to 0.8.26 and 1.4.1, an uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash(). Softw…
- CVE-2025-66305MEDIUMCVSS 4.9EG 4.92025-12-01
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported paramete…
- CVE-2025-66578HIGHCVSS 7.5EG 6.02025-12-09
xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Versions 3.1.3 contain an authentication bypass vulnerability due to a flaw in the libxml2 canonicalization process during document transformation. When…
- CVE-2025-67647CRITICALCVSS 9.1EG 9.12026-01-15
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2…
- CVE-2025-7338HIGHCVSS 7.5EG 7.52025-07-17
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed mu…
- CVE-2025-8870MEDIUMCVSS 4.9EG 4.92025-11-14
On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153
- CVE-2025-9124HIGHCVSS 8.7EG 8.72025-10-14
A denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a crafted CIP unconnected explicit message is sent. This can result in a major non-recoverable fault.
- CVE-2026-12644MEDIUMCVSS 5.3EG 5.32026-06-19
Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-f…
- CVE-2026-14181HIGHCVSS 7.5EG 7.52026-07-01
@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a t…
- CVE-2026-14631MEDIUMCVSS 5.3EG 5.32026-07-03
webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malfor…
- CVE-2026-1507HIGHCVSS 7.5EG 7.52026-02-10
The affected products are vulnerable to an uncaught exception that could allow an unauthenticated attacker to remotely crash core PI services resulting in a denial-of-service.
- CVE-2026-1528HIGHCVSS 7.5EG 7.52026-03-12
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.…
- CVE-2026-2229HIGHCVSS 7.5EG 7.52026-03-12
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automa…
- CVE-2026-24175HIGHCVSS 7.5EG 7.52026-04-07
NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. A successful exploit of this vulnerability might lead to denial of service.
- CVE-2026-25128HIGHCVSS 7.5EG 7.52026-01-30
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity proce…
- CVE-2026-25577HIGHCVSS 7.5EG 7.52026-02-10
Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauth…
- CVE-2026-27790LOWCVSS 2.7EG 2.72026-07-07
Uncaught Exception (CWE-248) in the T20 Readers allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service. Version of Command Centre affected: *…
- CVE-2026-27844LOWCVSS 2.7EG 2.72026-07-07
Uncaught Exception (CWE-248) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated and authorized operator to trigger a Controller restart by sending specific requests, resulting in a temporary denial…
- CVE-2026-31812MEDIUMCVSS 5.3EG 8.72026-03-10
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a cr…
- CVE-2026-33939HIGHCVSS 7.5EG 7.52026-03-27
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled templa…
- CVE-2026-34752HIGHCVSS 7.5EG 7.52026-04-02
Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.
- CVE-2026-34943HIGHCVSS 7.5EG 7.52026-04-09
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the se…
- CVE-2026-34944MEDIUMCVSS 5.7EG 5.72026-04-09
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranelift may load 8 more bytes than is neces…
- CVE-2026-34986HIGHCVSS 7.5EG 7.52026-04-06
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.…
- CVE-2026-35348MEDIUMCVSS 5.5EG 5.52026-04-22
The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate cr…
- CVE-2026-37554HIGHCVSS 7.5EG 7.52026-05-01
An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation …
- CVE-2026-41585MEDIUMCVSS 6.5EG 6.52026-05-08
ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to…
- CVE-2026-42268HIGHCVSS 7.5EG 7.52026-05-12
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmods…
- CVE-2026-42544HIGHCVSS 7.5EG 7.52026-05-12
Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The …
- CVE-2026-42545MEDIUMCVSS 5.9EG 5.92026-05-12
Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on bo…
- CVE-2026-43988HIGHCVSS 7.5EG 7.52026-05-26
Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the ASN.1/OER parsing pipeline of Vanetza. When processing malformed network packets conta…
- CVE-2026-44001HIGHCVSS 8.6EG 8.62026-05-13
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection …
- CVE-2026-44905HIGHCVSS 7.5EG 7.52026-05-26
Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the cryptographic verification pipeline of Vanetza. When processing incoming V2X messages,…
- CVE-2026-45554MEDIUMCVSS 5.3EG 5.32026-05-18
NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to …
- CVE-2026-45676MEDIUMCVSS 5.5EG 5.52026-05-18
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A craft…
- CVE-2026-45685HIGHCVSS 7.5EG 7.52026-05-18
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.1.0 to before version 0.9.0, malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowi…
- CVE-2026-46411MEDIUMCVSS 6.5EG 6.52026-06-10
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.2, authorized clients have the ability to exceed the permitted over-commit of their write buffer and triggering an internal safe-guard exception. T…
- CVE-2026-46545HIGHCVSS 7.5EG 7.52026-05-21
Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.5.0, a remote, unauthenticated denial-of-service vulnerability in MerkleRadixTrie::put_chunk allows any stat…
Map vulnerabilities like CWE-248 to your infrastructure
EchelonGraph correlates every CVE — across CWE-248 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →