CWE-400— Uncontrolled Resource Consumption (Denial of Service)
The product does not properly control the allocation and maintenance of a limited resource.— MITRE CWE catalog
3,408 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-400page 66 of 69
- CVE-2026-45357HIGHCVSS 7.5EG 7.52026-05-27
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unche…
- CVE-2026-45498MEDIUMCVSS 4.0EG 9.0⚠ KEV2026-05-20
Microsoft Defender Denial of Service Vulnerability
- CVE-2026-45591HIGHCVSS 7.5EG 7.52026-06-09
Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.
- CVE-2026-45664MEDIUMCVSS 5.3EG 5.32026-05-18
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list lim…
- CVE-2026-45680HIGHCVSS 7.5EG 7.52026-05-18
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, t…
- CVE-2026-45756HIGHCVSS 8.2EG 8.22026-05-28
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 7.3.0-BETA1 until 7.4.12 and 8.0.12, the JsonPath component compiles attacker-controlled match() and search() filter patterns directly i…
- CVE-2026-45783HIGHCVSS 7.5EG 7.52026-05-19
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT…
- CVE-2026-45802MEDIUMCVSS 6.0EG 6.02026-05-19
FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side s…
- CVE-2026-45822MEDIUMCVSS 6.6EG 6.62026-06-30
decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.…
- CVE-2026-46374HIGHCVSS 7.5EG 7.52026-05-19
SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a ma…
- CVE-2026-46385HIGHCVSS 7.5EG 8.72026-05-18
iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeade…
- CVE-2026-46522HIGHCVSS 7.5EG 7.52026-05-18
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in C…
- CVE-2026-46679HIGHCVSS 7.5EG 7.52026-05-21
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with defaul…
- CVE-2026-46689HIGHCVSS 8.7EG 8.72026-05-06
Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG…
- CVE-2026-46775CRITICALCVSS 9.9EG 9.92026-05-28
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST …
- CVE-2026-46829HIGHCVSS 7.5EG 7.52026-05-28
Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle …
- CVE-2026-46834HIGHCVSS 7.5EG 7.52026-05-28
Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net …
- CVE-2026-46835HIGHCVSS 7.5EG 7.52026-05-28
Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net …
- CVE-2026-46843MEDIUMCVSS 5.3EG 5.32026-05-28
Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST…
- CVE-2026-46862HIGHCVSS 7.5EG 7.52026-06-17
Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network a…
- CVE-2026-46863HIGHCVSS 7.5EG 7.52026-06-17
Vulnerability in the MySQL Server, MySQL Cluster product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are MySQL Server: 8.4.0-8.4.9, 9.0.0-9.7.0; MySQL Cluster: 8.0.11-8.0.46, 8.4.0-8.4.9 …
- CVE-2026-46866HIGHCVSS 8.2EG 8.22026-06-17
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Agent Next Gen). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticate…
- CVE-2026-46910CRITICALCVSS 9.1EG 9.12026-06-17
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthent…
- CVE-2026-46914HIGHCVSS 7.1EG 7.12026-06-17
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystem). The supported version that is affected is 11.4. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where…
- CVE-2026-4704HIGHCVSS 7.5EG 7.52026-03-24
Denial-of-service in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
- CVE-2026-47071HIGHCVSS 7.5EG 7.52026-05-25
Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connect…
- CVE-2026-47073HIGHCVSS 7.5EG 7.52026-05-25
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three code paths. First, read_handshake_respo…
- CVE-2026-47077HIGHCVSS 7.5EG 7.52026-05-25
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-…
- CVE-2026-47214HIGHCVSS 7.1EG 7.12026-06-03
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0.
- CVE-2026-47244MEDIUMCVSS 5.3EG 5.32026-06-08
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE…
- CVE-2026-4726HIGHCVSS 7.5EG 7.52026-03-24
Denial-of-service in the XML component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
- CVE-2026-47262MEDIUMCVSS 5.5EG 5.52026-06-19
containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a contain…
- CVE-2026-4727HIGHCVSS 7.5EG 7.52026-03-24
Denial-of-service in the Libraries component in NSS. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
- CVE-2026-47476HIGHCVSS 7.5EG 7.52026-07-14
NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service.
- CVE-2026-47479HIGHCVSS 7.5EG 7.52026-07-14
NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service.
- CVE-2026-47706MEDIUMCVSS 5.3EG 5.32026-06-04
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query con…
- CVE-2026-47707MEDIUMCVSS 5.3EG 5.32026-06-04
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it corre…
- CVE-2026-47734MEDIUMCVSS 5.7EG 5.72026-06-08
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a …
- CVE-2026-47736HIGHCVSS 7.5EG 7.52026-06-08
Puma is a Ruby/Rack web server built for parallelism. From 5.5.0 until 7.2.1 and 8.0.2, when PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer while waiting for CRLF to determine whether a PROXY v1 lin…
- CVE-2026-47902MEDIUMCVSS 6.2EG 6.22026-06-09
CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an applica…
- CVE-2026-47904MEDIUMCVSS 6.2EG 6.22026-06-09
CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an applica…
- CVE-2026-47905MEDIUMCVSS 6.2EG 6.22026-06-09
CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an applica…
- CVE-2026-48043HIGHCVSS 7.5EG 7.52026-06-11
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompress…
- CVE-2026-48155MEDIUMCVSS 5.5EG 5.52026-05-28
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets.…
- CVE-2026-48187MEDIUMCVSS 5.7EG 5.72026-06-01
An uncontrolled allocation of resources without limits or throttling in the e-mail handling in OTRS allows excessive allocation which may lead to the abortion of the webserver.This issue affects OTRS: * 8.0.X * 2023.X * 2024.X …
- CVE-2026-48208MEDIUMCVSS 6.5EG 6.52026-06-01
An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and de…
- CVE-2026-48525MEDIUMCVSS 5.3EG 5.32026-05-28
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payloa…
- CVE-2026-48593MEDIUMCVSS 5.9EG 5.92026-05-26
Uncontrolled Resource Consumption vulnerability in oban-bg oban_web ('Elixir.Oban.Web.CronExpr' modules) allows memory exhaustion via unbounded cron range expansion. An attacker with access to schedule cron jobs can submit a malicious cro…
- CVE-2026-48619HIGHCVSS 7.5EG 5.32026-06-26
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24…
- CVE-2026-48779HIGHCVSS 7.5EG 7.52026-06-15
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vul…
Map vulnerabilities like CWE-400 to your infrastructure
EchelonGraph correlates every CVE — across CWE-400 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →