CWE-400— Uncontrolled Resource Consumption (Denial of Service)
The product does not properly control the allocation and maintenance of a limited resource.— MITRE CWE catalog
3,408 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-400page 67 of 69
- CVE-2026-48937MEDIUMCVSS 5.3EG 5.32026-06-18
A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.
- CVE-2026-48987MEDIUMCVSS 6.5EG 6.52026-07-09
pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager ## Description: The `EventManager` module in `pyload` manages a list of `Client` instances for subscribing to events. The addition of each unique `uuid` fro…
- CVE-2026-48988MEDIUMCVSS 5.3EG 5.32026-06-15
markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifyin…
- CVE-2026-48990MEDIUMCVSS 5.3EG 5.32026-06-17
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegis…
- CVE-2026-49090MEDIUMCVSS 6.5EG 6.52026-07-01
Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption…
- CVE-2026-49094MEDIUMCVSS 6.5EG 6.52026-05-28
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analyti…
- CVE-2026-49160HIGHCVSS 7.5EG 7.52026-06-09
Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.
- CVE-2026-4926HIGHCVSS 7.5EG 7.52026-03-26
Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.…
- CVE-2026-49293HIGHCVSS 7.5EG 7.52026-06-19
js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written `parseBigInt` loop that multiplies a `BigInt` accu…
- CVE-2026-49324MEDIUMCVSS 4.6EG 4.62026-05-29
Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize t…
- CVE-2026-49361HIGHCVSS 7.5EG 7.52026-06-01
Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorS…
- CVE-2026-49461MEDIUMCVSS 5.5EG 5.52026-06-16
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject …
- CVE-2026-49762MEDIUMCVSS 5.1EG 5.12026-06-09
Uncontrolled Resource Consumption vulnerability in the Elixir standard library's Version module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion. The version parser converts n…
- CVE-2026-49799MEDIUMCVSS 6.5EG 6.52026-07-14
Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network.
- CVE-2026-49842HIGHCVSS 7.5EG 7.52026-06-09
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loo…
- CVE-2026-49851HIGHCVSS 7.5EG 7.52026-06-24
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. When parsing Markdown containing many cons…
- CVE-2026-50011HIGHCVSS 7.5EG 7.52026-06-12
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element …
- CVE-2026-50171MEDIUMCVSS 6.1EG 6.12026-06-15
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service (DoS) vulnerability exists in the …
- CVE-2026-50193HIGHCVSS 7.5EG 7.52026-06-23
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the …
- CVE-2026-50196HIGHCVSS 7.5EG 7.52026-06-17
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, `DataCenterInfo.FromJson` throws `ArgumentExceptio…
- CVE-2026-50212MEDIUMCVSS 6.5EG 6.52026-06-04
Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service.
- CVE-2026-50645HIGHCVSS 7.5EG 7.52026-06-12
There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgr…
- CVE-2026-50653HIGHCVSS 7.5EG 7.52026-07-14
Loop with unreachable exit condition ('infinite loop') in Azure Active Directory allows an unauthorized attacker to deny service over a network.
- CVE-2026-50750HIGHCVSS 7.5EG 7.52026-06-30
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Following the fix for CVE-2026-49270 an unauthenticated attacker can now cause broker OOM by sending an repeated BrokerIn…
- CVE-2026-5079HIGHCVSS 7.5EG 7.52026-06-15
Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on n…
- CVE-2026-50878HIGHCVSS 7.5EG 7.52026-06-15
An issue in the attachment handling component of Feuerhamster MailForm v1.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted request.
- CVE-2026-50879HIGHCVSS 7.5EG 7.52026-06-15
An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
- CVE-2026-50882HIGHCVSS 7.5EG 7.52026-06-15
An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
- CVE-2026-50889HIGHCVSS 7.5EG 7.52026-06-15
An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a crafted refresh-token header.
- CVE-2026-51535HIGHCVSS 7.5EG 7.52026-07-08
In OpENer 2.3.0 (commit 76b95cf), a resource exhaustion (Denial of Service) vulnerability exists in its network processing loop.
- CVE-2026-51539HIGHCVSS 7.5EG 0.02026-07-13
A Denial of Service (DoS) vulnerability exists in the receive loop of libmodbus 3.1.12 when running on Windows. The issue stems from improper timeout management during network read operations.
- CVE-2026-51600HIGHCVSS 7.5EG 7.52026-07-09
Tenda CP3 V3.0 firmware V31.1.9.91 does not validate the Content-Length header field in RTSP requests (including DESCRIBE, SETUP, and PLAY methods). When a request carrying a Content-Length header is received without a corresponding messag…
- CVE-2026-52192HIGHCVSS 7.5EG 7.52026-07-02
An issue in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_445C5C component
- CVE-2026-52197HIGHCVSS 7.5EG 7.52026-07-01
An issue in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_44af70 component
- CVE-2026-52814MEDIUMCVSS 5.5EG 5.52026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes the…
- CVE-2026-5308HIGHCVSS 7.5EG 7.52026-05-26
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14... Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plu…
- CVE-2026-5316MEDIUMCVSS 4.3EG 4.32026-04-02
A vulnerability was identified in Nothings stb up to 1.22. The impacted element is the function setup_free of the file stb_vorbis.c. The manipulation leads to allocation of resources. The attack is possible to be carried out remotely. The …
- CVE-2026-53539HIGHCVSS 7.5EG 7.52026-06-15
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remainin…
- CVE-2026-54092MEDIUMCVSS 6.5EG 6.52026-06-12
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, unchecked passwords maximums allow for an arbitrarily large password to be passed int…
- CVE-2026-54260LOWCVSS 2.7EG 2.72026-07-01
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in po…
- CVE-2026-54268HIGHCVSS 7.5EG 7.52026-06-15
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/commo…
- CVE-2026-54399HIGHCVSS 7.5EG 7.52026-07-01
Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by s…
- CVE-2026-54428HIGHCVSS 7.5EG 7.52026-07-01
Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by s…
- CVE-2026-54712HIGHCVSS 7.5EG 7.52026-07-01
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.27.0, the RMI context propagation payload reader limits the number of context entries but does no…
- CVE-2026-54772HIGHCVSS 7.5EG 7.52026-06-19
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, an unauthenticated remote attacker that can reach a NetTcpBinding, NetNamedPipeBinding, or UnixDomainSocketBinding endp…
- CVE-2026-54786MEDIUMCVSS 5.0EG 5.02026-07-01
Wasmtime is a runtime for WebAssembly. All versions prior to 24.0.10; versions 25.0.0 through those before 36.0.11; versions 37.0.0 through those before 44.0.3; and versions 45.0.0 and 45.0.1 contain a native implementation of WASIp1 whic…
- CVE-2026-54886MEDIUMCVSS 4.3EG 4.32026-07-02
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive. The handle_data/4 function in ssh_sftpd contai…
- CVE-2026-5497HIGHCVSS 7.5EG 7.52026-06-11
vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` method. When processing `video/jpeg` data URLs, the method sp…
- CVE-2026-55446HIGHCVSS 7.5EG 7.52026-06-19
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form boundary to …
- CVE-2026-55450CRITICALCVSS 9.3EG 9.32026-06-17
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access …
Map vulnerabilities like CWE-400 to your infrastructure
EchelonGraph correlates every CVE — across CWE-400 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →