CWE-770— Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.— MITRE CWE catalog
1,933 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-770page 33 of 39
- CVE-2026-22025LOWCVSS 3.7EG 3.72026-01-10
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to…
- CVE-2026-22036MEDIUMCVSS 5.9EG 5.92026-01-14
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high…
- CVE-2026-22045MEDIUMCVSS 5.9EG 5.92026-01-15
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie…
- CVE-2026-22258HIGHCVSS 7.5EG 7.52026-01-27
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCE…
- CVE-2026-22259HIGHCVSS 7.5EG 7.52026-01-27
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and ru…
- CVE-2026-22773MEDIUMCVSS 6.5EG 6.52026-01-10
vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a spe…
- CVE-2026-22780MEDIUMCVSS 4.4EG 4.42026-02-02
Rizin is a UNIX-like reverse engineering framework and command-line toolset. Prior to 0.8.2, a heap overflow can be exploited when a malicious mach0 file, having bogus entries for the dyld chained segments, is parsed by rizin. This vulnera…
- CVE-2026-22803HIGHCVSS 7.5EG 7.52026-01-15
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A …
- CVE-2026-22815HIGHCVSS 7.5EG 7.52026-04-01
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.
- CVE-2026-22917MEDIUMCVSS 4.3EG 4.32026-01-15
Improper input handling in a system endpoint may allow attackers to overload resources, causing a denial of service.
- CVE-2026-22925HIGHCVSS 7.5EG 7.52026-05-12
A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0). The affected application is susceptible to resource exhaustion when subjected to high volume of TCP SYN packets This could allow an attacker to render the servi…
- CVE-2026-2325MEDIUMCVSS 4.3EG 4.32026-05-18
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of serv…
- CVE-2026-23468MEDIUMCVSS 5.5EG 5.52026-04-03
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the prev…
- CVE-2026-23490HIGHCVSS 7.5EG 7.52026-01-16
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
- CVE-2026-23689HIGHCVSS 7.7EG 7.72026-02-10
Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-…
- CVE-2026-23826HIGHCVSS 7.5EG 7.52026-05-12
A vulnerability in a network management service of AOS-8 Operating System could allow an unauthenticated remote attacker to exploit this vulnerability by sending specially crafted network packets to the affected device, potentially resulti…
- CVE-2026-23869HIGHCVSS 7.5EG 7.52026-04-08
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5,…
- CVE-2026-23881HIGHCVSS 7.7EG 7.72026-01-27
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause de…
- CVE-2026-23957HIGHCVSS 7.5EG 7.52026-01-22
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding encoded array lengths by replacing them with an excessively large value causes the deser…
- CVE-2026-23962HIGHCVSS 7.5EG 7.52026-01-22
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create poll…
- CVE-2026-23963MEDIUMCVSS 4.3EG 4.32026-01-22
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any u…
- CVE-2026-24006HIGHCVSS 7.5EG 7.52026-01-22
Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4…
- CVE-2026-24133MEDIUMCVSS 6.5EG 6.52026-02-02
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage meth…
- CVE-2026-24514MEDIUMCVSS 6.5EG 6.52026-02-03
A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory…
- CVE-2026-24661LOWCVSS 3.7EG 3.72026-04-09
Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. M…
- CVE-2026-24720MEDIUMCVSS 6.5EG 6.52026-06-10
An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or…
- CVE-2026-24738MEDIUMCVSS 6.5EG 6.52026-01-27
gmrtd is a Go library for reading Machine Readable Travel Documents (MRTDs). Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cy…
- CVE-2026-25043MEDIUMCVSS 5.3EG 5.32026-04-03
Budibase is an open-source low-code platform. Prior to version 3.23.25, a business logic vulnerability exists in Budibase’s password reset functionality due to the absence of rate limiting, CAPTCHA, or abuse prevention mechanisms on the …
- CVE-2026-25122MEDIUMCVSS 5.5EG 5.52026-02-04
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. …
- CVE-2026-25140HIGHCVSS 7.5EG 7.52026-02-04
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build h…
- CVE-2026-25224LOWCVSS 3.7EG 3.72026-02-03
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that ret…
- CVE-2026-25535HIGHCVSS 7.5EG 7.52026-02-19
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` …
- CVE-2026-25579MEDIUMCVSS 6.5EG 6.52026-02-04
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-im…
- CVE-2026-25673HIGHCVSS 7.5EG 7.52026-03-03
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certa…
- CVE-2026-25762HIGHCVSS 7.5EG 7.52026-02-06
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multip…
- CVE-2026-25804CRITICALCVSS 9.1EG 9.12026-02-06
Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea's network policy priority assignment system has a uint16 arithmetic overflow bug that causes incorrect OpenFlow priority…
- CVE-2026-25949HIGHCVSS 7.5EG 7.52026-02-12
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, there is a potential vulnerability in Traefik managing STARTTLS requests. An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending…
- CVE-2026-25985HIGHCVSS 7.5EG 7.52026-02-24
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB o…
- CVE-2026-26018HIGHCVSS 7.5EG 7.52026-03-06
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The…
- CVE-2026-26076HIGHCVSS 7.5EG 7.52026-02-12
ntpd-rs is a full-featured implementation of the Network Time Protocol. Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4 times above normal) in cpu usage. When having NTS enabled on an ntpd-rs server, an attacker can…
- CVE-2026-26130HIGHCVSS 7.5EG 7.52026-03-10
Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
- CVE-2026-26477MEDIUMCVSS 4.3EG 7.52026-04-03
An issue in Dokuwiki v.2025-05-14b "Librarian" [56.2] allows a remote attacker to cause a denial of service via the media_upload_xhr() function in the media.php file
- CVE-2026-27663MEDIUMCVSS 6.5EG 6.52026-03-26
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), RTUM85 RTU Base (All versions < V26.10). The affected application contains denial-of-service (DoS) vulnerability. The remote operation…
- CVE-2026-27857HIGHCVSS 7.5EG 4.32026-03-27
Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command e…
- CVE-2026-27858HIGHCVSS 7.5EG 7.52026-03-27
Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access …
- CVE-2026-27869MEDIUMCVSS 6.9EG 6.92026-06-17
An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat (in this case, NO registration action is required) who has the vulnerable software could, with a Slow Loris attack, cause Denial of Service (DoS) on the…
- CVE-2026-27880HIGHCVSS 7.5EG 7.52026-03-27
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
- CVE-2026-28237MEDIUMCVSS 5.5EG 5.52026-06-09
Unrestricted resource allocation in AMD uProf may be exploitable to consume excessive system resources, potentially leading to a loss of availability.
- CVE-2026-28299HIGHCVSS 7.5EG 8.22026-06-02
SolarWinds Web Help Desk is found to be affected by a denial-of-service vulnerability, which when exploited, could cause the Web Help Desk server to crash due to insufficient memory.
- CVE-2026-28376MEDIUMCVSS 6.5EG 6.52026-05-13
The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API c…
Map vulnerabilities like CWE-770 to your infrastructure
EchelonGraph correlates every CVE — across CWE-770 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →