CWE-400— Uncontrolled Resource Consumption (Denial of Service)
The product does not properly control the allocation and maintenance of a limited resource.— MITRE CWE catalog
3,397 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-400page 61 of 68
- CVE-2026-10691MEDIUMCVSS 4.3EG 4.32026-06-02
A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start_search. Performing a manipulation of the argument SearchResult[…
- CVE-2026-10692MEDIUMCVSS 4.3EG 4.32026-06-02
A weakness has been identified in johnhuang316 code-index-mcp up to 2.14.0. Affected is the function is_safe_regex_pattern of the component search_code_advanced. Executing a manipulation of the argument regex can lead to inefficient regula…
- CVE-2026-10705LOWCVSS 3.1EG 3.12026-06-03
A flaw has been found in dask up to 3.0. Affected by this issue is the function nunique_approx of the file dask/dataframe/hyperloglog.py of the component HLL Handler. This manipulation causes resource consumption. The attack is possible to…
- CVE-2026-10802MEDIUMCVSS 4.3EG 4.32026-06-04
A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results i…
- CVE-2026-11478LOWCVSS 3.3EG 3.32026-06-08
A flaw has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb. This vulnerability affects the function matchstar of the file re.c of the component Pattern Handler. This manipulation causes inefficient regular e…
- CVE-2026-11611MEDIUMCVSS 6.5EG 6.52026-06-08
A flaw was found in 389 Directory Server. The Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions…
- CVE-2026-1174MEDIUMCVSS 5.3EG 5.32026-01-19
A vulnerability was determined in birkir prime up to 0.4.0.beta.0. This affects an unknown function of the file /graphql of the component GraphQL Alias Handler. This manipulation causes resource consumption. The attack is possible to be ca…
- CVE-2026-11790MEDIUMCVSS 4.9EG 4.92026-06-09
A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash c…
- CVE-2026-12151HIGHCVSS 7.5EG 7.52026-06-17
Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continu…
- CVE-2026-12319MEDIUMCVSS 6.5EG 6.52026-06-16
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
- CVE-2026-12325MEDIUMCVSS 6.5EG 6.52026-06-16
Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
- CVE-2026-13149HIGHCVSS 7.7EG 7.72026-06-30
brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(),…
- CVE-2026-14683LOWCVSS 3.3EG 3.32026-07-04
A vulnerability was detected in HdrHistogram up to 2.2.2. Affected by this issue is the function org.HdrHistogram.AbstractHistogram.decodeFromCompressedByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. The manip…
- CVE-2026-14684LOWCVSS 3.3EG 3.32026-07-04
A flaw has been found in HdrHistogram up to 2.2.2. This affects the function org.HdrHistogram.AbstractHistogram.decodeFromByteBuffer of the file src/main/java/org/HdrHistogram/AbstractHistogram.java. This manipulation of the argument numbe…
- CVE-2026-15308HIGHCVSS 7.5EG 7.52026-07-09
The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data.
- CVE-2026-1605HIGHCVSS 7.5EG 7.52026-03-05
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happe…
- CVE-2026-20080MEDIUMCVSS 5.3EG 5.32026-01-21
A vulnerability in the SSH service of Cisco IEC6400 Wireless Backhaul Edge Compute Software could allow an unauthenticated, remote attacker to cause the SSH service to stop responding. This vulnerability exists because the SSH service l…
- CVE-2026-20188NONECVSS 0.0EG 7.52026-05-06
Following the initial publication of the Security Advisory about a denial of service (DoS) condition in Cisco Crosswork Network Controller and Cisco Network Services Orchestrator (NSO), additional information has been made available to the…
- CVE-2026-20602MEDIUMCVSS 5.5EG 5.52026-02-11
The issue was addressed with improved handling of caches. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3. An app may be able to cause a denial-of-service.
- CVE-2026-20650HIGHCVSS 7.5EG 7.52026-02-11
A denial-of-service issue was addressed with improved validation. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. An attacker in a privileged network position may be able to perfor…
- CVE-2026-20652HIGHCVSS 7.5EG 7.52026-02-11
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A remote attacker may be able to cause a denial-of-service.
- CVE-2026-20676MEDIUMCVSS 5.3EG 5.32026-02-11
This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A website may be able to track users through Safari web extensions.
- CVE-2026-21435MEDIUMCVSS 5.3EG 5.32026-02-12
webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can wit…
- CVE-2026-21452HIGHCVSS 7.5EG 7.52026-01-02
MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While M…
- CVE-2026-21485HIGHCVSS 8.8EG 8.82026-01-06
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2.
- CVE-2026-21500MEDIUMCVSS 5.5EG 5.52026-01-07
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the XML calculator macro expan…
- CVE-2026-21637HIGHCVSS 7.5EG 5.92026-01-20
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error hand…
- CVE-2026-21696MEDIUMCVSS 6.5EG 6.52026-01-19
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log ent…
- CVE-2026-21720HIGHCVSS 7.5EG 7.52026-01-27
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that gorouti…
- CVE-2026-21728HIGHCVSS 7.5EG 7.52026-04-24
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by setting max_result_limit in the search config, e.g. to 26…
- CVE-2026-21941MEDIUMCVSS 4.9EG 4.92026-01-20
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacke…
- CVE-2026-21942MEDIUMCVSS 5.0EG 5.02026-01-20
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystems). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure …
- CVE-2026-21945HIGHCVSS 7.5EG 7.52026-01-20
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29…
- CVE-2026-21948MEDIUMCVSS 4.9EG 4.92026-01-20
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacke…
- CVE-2026-21949MEDIUMCVSS 6.5EG 6.52026-01-20
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multip…
- CVE-2026-21950MEDIUMCVSS 6.5EG 6.52026-01-20
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multip…
- CVE-2026-21952MEDIUMCVSS 4.9EG 4.92026-01-20
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple…
- CVE-2026-21955HIGHCVSS 8.2EG 8.22026-01-20
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the i…
- CVE-2026-21956HIGHCVSS 8.2EG 8.22026-01-20
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the i…
- CVE-2026-21998MEDIUMCVSS 4.9EG 4.92026-04-21
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacke…
- CVE-2026-22002MEDIUMCVSS 4.9EG 4.92026-04-21
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacke…
- CVE-2026-22003MEDIUMCVSS 6.0EG 6.02026-04-21
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.…
- CVE-2026-22004MEDIUMCVSS 4.9EG 4.92026-04-21
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with netw…
- CVE-2026-22005MEDIUMCVSS 4.9EG 4.92026-04-21
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacke…
- CVE-2026-22009MEDIUMCVSS 6.5EG 6.52026-04-21
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker…
- CVE-2026-22017MEDIUMCVSS 6.5EG 6.52026-04-21
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker…
- CVE-2026-22021MEDIUMCVSS 5.3EG 5.32026-04-21
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17…
- CVE-2026-22228MEDIUMCVSS 4.9EG 4.92026-02-03
An authenticated user with high privileges may trigger a denial‑of‑service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Restoring such a file can cause the d…
- CVE-2026-22239MEDIUMCVSS 5.3EG 5.32026-01-14
The vulnerability exists in BLUVOYIX due to design flaws in the email sending API. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable email sending API. Successf…
- CVE-2026-22258HIGHCVSS 7.5EG 7.52026-01-27
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCE…
Map vulnerabilities like CWE-400 to your infrastructure
EchelonGraph correlates every CVE — across CWE-400 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →