CWE-400— Uncontrolled Resource Consumption (Denial of Service)
The product does not properly control the allocation and maintenance of a limited resource.— MITRE CWE catalog
3,403 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-400page 62 of 69
- CVE-2026-22259HIGHCVSS 7.5EG 7.52026-01-27
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and ru…
- CVE-2026-22540CRITICALCVSS 9.2EG 9.22026-01-07
The massive sending of ARP requests causes a denial of service on one board of the charger that allows control of the EV interfaces. Since the board must be operating correctly for the charger to also function correctly.
- CVE-2026-22541HIGHCVSS 8.2EG 8.22026-01-07
The massive sending of ICMP requests causes a denial of service on one of the boards from the EVCharger that allows control the EV interfaces. Since the board must be operating correctly for the charger to also function correctly.
- CVE-2026-22542CRITICALCVSS 9.2EG 9.22026-01-07
An attacker with access to the system's internal network can cause a denial of service on the system by making two concurrent connections through the Telnet service.
- CVE-2026-22690MEDIUMCVSS 5.3EG 5.32026-01-10
pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to poss…
- CVE-2026-22691MEDIUMCVSS 5.3EG 5.32026-01-10
pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for in…
- CVE-2026-22740MEDIUMCVSS 6.5EG 6.52026-04-29
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to cons…
- CVE-2026-22745MEDIUMCVSS 5.3EG 5.32026-04-29
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC …
- CVE-2026-22815HIGHCVSS 7.5EG 7.52026-04-01
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.
- CVE-2026-23824HIGHCVSS 7.5EG 7.52026-05-12
Vulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems. An unauthenticated attacker could exploit these vulnerabilities by sending specially crafted network messages to the affected service. Due to in…
- CVE-2026-23842HIGHCVSS 7.5EG 7.52026-01-19
ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Con…
- CVE-2026-23864HIGHCVSS 7.5EG 7.52026-01-26
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending spe…
- CVE-2026-23869HIGHCVSS 7.5EG 7.52026-04-08
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5,…
- CVE-2026-24001HIGHCVSS 7.5EG 7.52026-01-22
jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `pars…
- CVE-2026-24012HIGHCVSS 7.5EG 7.52026-07-06
Uncontrolled Resource Consumption vulnerability in Apache IoTDB. Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g…
- CVE-2026-2405MEDIUMCVSS 6.5EG 6.52026-04-14
CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests.
- CVE-2026-24215MEDIUMCVSS 5.7EG 5.72026-05-20
NVIDIA Triton Inference Server contains a vulnerability in the DALI backend, where an attacker could cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service.
- CVE-2026-24738MEDIUMCVSS 6.5EG 6.52026-01-27
gmrtd is a Go library for reading Machine Readable Travel Documents (MRTDs). Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cy…
- CVE-2026-25122MEDIUMCVSS 5.5EG 5.52026-02-04
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. …
- CVE-2026-25140HIGHCVSS 7.5EG 7.52026-02-04
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build h…
- CVE-2026-25535HIGHCVSS 7.5EG 7.52026-02-19
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` …
- CVE-2026-25579MEDIUMCVSS 6.5EG 6.52026-02-04
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-im…
- CVE-2026-25667HIGHCVSS 7.5EG 7.52026-03-19
ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Dec…
- CVE-2026-25673HIGHCVSS 7.5EG 7.52026-03-03
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certa…
- CVE-2026-25680MEDIUMCVSS 6.5EG 6.52026-05-26
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
- CVE-2026-25762HIGHCVSS 7.5EG 7.52026-02-06
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multip…
- CVE-2026-25791HIGHCVSS 7.5EG 7.52026-02-09
Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even…
- CVE-2026-25819HIGHCVSS 7.5EG 7.52026-03-13
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 allows unauthenticated attackers to cause a Denial of Service by using a specially crafted HTTP reque…
- CVE-2026-25949HIGHCVSS 7.5EG 7.52026-02-12
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending…
- CVE-2026-26018HIGHCVSS 7.5EG 7.52026-03-06
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The…
- CVE-2026-26066MEDIUMCVSS 6.2EG 6.22026-02-24
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain invalid IPTC data may cause an infinite loop when writing it with `IPTCTEXT`…
- CVE-2026-26171HIGHCVSS 7.5EG 7.52026-04-14
Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.
- CVE-2026-26307HIGHCVSS 7.5EG 7.52026-07-03
Gitea versions before 1.25.5 do not enforce a timeout on git grep searches, allowing expensive searches to consume server resources.
- CVE-2026-26477MEDIUMCVSS 4.3EG 7.52026-04-03
An issue in Dokuwiki v.2025-05-14b "Librarian" [56.2] allows a remote attacker to cause a denial of service via the media_upload_xhr() function in the media.php file
- CVE-2026-26999HIGHCVSS 7.5EG 7.52026-03-05
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read…
- CVE-2026-27307LOWCVSS 2.4EG 2.42026-04-14
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust sy…
- CVE-2026-27308LOWCVSS 2.4EG 2.42026-04-14
ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust sy…
- CVE-2026-27857HIGHCVSS 7.5EG 4.32026-03-27
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command e…
- CVE-2026-27858HIGHCVSS 7.5EG 7.52026-03-27
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access …
- CVE-2026-27859MEDIUMCVSS 5.3EG 5.32026-03-27
A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail delivery process to consume large amounts of CPU time. Use MTA capabilities to limit RFC …
- CVE-2026-27878MEDIUMCVSS 6.5EG 6.52026-06-19
A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of s…
- CVE-2026-27879MEDIUMCVSS 6.5EG 6.52026-03-27
A resample query can be used to trigger out-of-memory crashes in Grafana.
- CVE-2026-27888MEDIUMCVSS 6.6EG 6.62026-02-26
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer and t…
- CVE-2026-28221MEDIUMCVSS 6.5EG 6.52026-04-29
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.8.0 to before version 4.14.4, a stack-based buffer overflow exists in print_hex_string() in wazuh-remoted. The bug is triggered wh…
- CVE-2026-28318HIGHCVSS 7.5EG 9.0⚠ KEV2026-06-04
SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust…
- CVE-2026-28375MEDIUMCVSS 6.5EG 6.52026-03-27
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
- CVE-2026-28575MEDIUMCVSS 5.5EG 5.52026-06-17
In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial o…
- CVE-2026-28872HIGHCVSS 7.5EG 7.52026-05-11
A resource exhaustion issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4. A remote attacker may be able to cause a denial-of-service.
- CVE-2026-28908HIGHCVSS 7.5EG 7.52026-05-11
A denial of service issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to modify protected parts of the file system.
- CVE-2026-2891HIGHCVSS 8.2EG 8.22026-07-01
The following Poly Voice IP devices, CCX, Trio, and Edge E, might be inoperable if they connect to a malicious SIP server and receive malformed data. HP is releasing updates to mitigate these potential vulnerabilities.
Map vulnerabilities like CWE-400 to your infrastructure
EchelonGraph correlates every CVE — across CWE-400 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →