CWE-770— Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.— MITRE CWE catalog
1,933 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-770page 37 of 39
- CVE-2026-44247HIGHCVSS 7.4EG 7.42026-05-27
Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoin…
- CVE-2026-44248HIGHCVSS 7.5EG 5.32026-05-13
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecod…
- CVE-2026-44250HIGHCVSS 7.5EG 7.52026-06-08
Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply neste…
- CVE-2026-44488HIGHCVSS 7.5EG 7.52026-06-04
Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected ad…
- CVE-2026-44499HIGHCVSS 8.7EG 8.72026-05-08
ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery o…
- CVE-2026-44500MEDIUMCVSS 5.3EG 5.32026-05-08
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against gen…
- CVE-2026-44545HIGHCVSS 7.5EG 5.32026-06-03
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large Web…
- CVE-2026-44577MEDIUMCVSS 5.9EG 5.92026-05-13
Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory …
- CVE-2026-44579HIGHCVSS 7.5EG 7.52026-05-13
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through craf…
- CVE-2026-44679MEDIUMCVSS 6.9EG 6.92026-05-14
Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forgot password flow allows an unauthenticated attacker to repeatedly trigger password reset emails for a known account without server-side throttling. In self-hos…
- CVE-2026-44697HIGHCVSS 8.6EG 8.62026-05-29
Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress (data/batch/batch.go) allows any peer that participates in a topic served …
- CVE-2026-44890HIGHCVSS 7.5EG 7.52026-06-08
Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple co…
- CVE-2026-44931MEDIUMCVSS 5.1EG 5.12026-05-13
The newly introduced RecordUsage D-Bus method https://gitlab.freedesktop.org/pwithnall/malcontent/-/blob/0.14.0/libmalcontent-timer/child-timer-service.c in malcontent-timerd allows arbitrary users in the system to slowly fill up disk s…
- CVE-2026-45023MEDIUMCVSS 5.4EG 5.42026-05-28
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/{block_id}/execute endpoint executes blocks without consuming any credits, regardl…
- CVE-2026-45031MEDIUMCVSS 5.3EG 5.32026-05-18
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, due to a missing check in the PSD decoder it would be possible to bypass the list-length resource poli…
- CVE-2026-45078MEDIUMCVSS 5.5EG 5.52026-05-28
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vu…
- CVE-2026-45290HIGHCVSS 7.5EG 7.52026-06-05
Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to `1.0.0.CR3-20260417.085727-30` impacts publicly accessible software depending on the affected versions of Network and allo…
- CVE-2026-45292MEDIUMCVSS 5.3EG 5.32026-05-28
opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentele…
- CVE-2026-45352HIGHCVSS 7.5EG 7.52026-05-29
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload func…
- CVE-2026-45416HIGHCVSS 7.5EG 7.52026-06-08
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does…
- CVE-2026-45554MEDIUMCVSS 5.3EG 5.32026-05-18
NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to …
- CVE-2026-45557MEDIUMCVSS 5.8EG 5.82026-05-19
Technitium DNS Server aggressively tries to fetch missing RRSIG records or mismatched DNSKEY records. An attacker in control of a domain can cause a vulnerable system to generate excessive network traffic. Fixed in 15.0.
- CVE-2026-45591HIGHCVSS 7.5EG 7.52026-06-09
Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.
- CVE-2026-45664MEDIUMCVSS 5.3EG 5.32026-05-18
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list lim…
- CVE-2026-45682MEDIUMCVSS 5.5EG 5.52026-05-18
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-o…
- CVE-2026-45802MEDIUMCVSS 6.0EG 6.02026-05-19
FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side s…
- CVE-2026-46340HIGHCVSS 7.5EG 7.52026-06-08
Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.p…
- CVE-2026-46551MEDIUMCVSS 6.5EG 6.52026-05-21
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or against the response stream. An …
- CVE-2026-46553LOWCVSS 2.1EG 2.12026-05-21
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI,…
- CVE-2026-46599HIGHCVSS 7.5EG 7.52026-05-29
The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large am…
- CVE-2026-46673HIGHCVSS 7.5EG 7.52026-05-21
Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still …
- CVE-2026-46702HIGHCVSS 7.5EG 7.52026-05-29
Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose dec…
- CVE-2026-47067HIGHCVSS 7.5EG 7.52026-05-25
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms a…
- CVE-2026-47774HIGHCVSS 7.5EG 7.52026-06-17
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote …
- CVE-2026-48187MEDIUMCVSS 5.7EG 5.72026-06-01
An uncontrolled allocation of resources without limits or throttling in the e-mail handling in OTRS allows excessive allocation which may lead to the abortion of the webserver.This issue affects OTRS: * 8.0.X * 2023.X * 2024.X …
- CVE-2026-48510HIGHCVSS 7.5EG 7.52026-06-22
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers b…
- CVE-2026-48514HIGHCVSS 7.5EG 7.52026-06-22
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase<T>.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before v…
- CVE-2026-48515HIGHCVSS 7.5EG 7.52026-06-22
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T[,], T[,,], or T[,,,] before validati…
- CVE-2026-48597HIGHCVSS 8.2EG 8.22026-06-02
Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing re…
- CVE-2026-48735MEDIUMCVSS 6.9EG 6.92026-05-28
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessar…
- CVE-2026-48748HIGHCVSS 7.5EG 7.52026-06-12
Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked strea…
- CVE-2026-48779HIGHCVSS 7.5EG 7.52026-06-15
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are affected by a memory exhaustion DoS vul…
- CVE-2026-48853CRITICALCVSS 9.2EG 9.22026-06-15
Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows …
- CVE-2026-48854HIGHCVSS 8.7EG 8.72026-06-15
Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRP…
- CVE-2026-48862HIGHCVSS 8.2EG 8.22026-06-02
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding. In lib/mint/http2.ex, Mint.HTTP2.decode_push_pr…
- CVE-2026-48933HIGHCVSS 7.5EG 7.52026-06-26
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
- CVE-2026-4897MEDIUMCVSS 5.5EG 5.52026-03-26
A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (…
- CVE-2026-48987MEDIUMCVSS 6.5EG 6.52026-07-09
pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager ## Description: The `EventManager` module in `pyload` manages a list of `Client` instances for subscribing to events. The addition of each unique `uuid` fro…
- CVE-2026-48990MEDIUMCVSS 5.3EG 5.32026-06-17
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegis…
- CVE-2026-49087MEDIUMCVSS 6.5EG 6.52026-07-01
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk deletion request that causes excessive…
Map vulnerabilities like CWE-770 to your infrastructure
EchelonGraph correlates every CVE — across CWE-770 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →