Total
2368 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-66676 | 2026-02-13 | N/A | 6.2 MEDIUM | ||
| An issue in IObit Unlocker v1.3.0.11 allows attackers to cause a Denial of Service (DoS) via a crafted request. | |||||
| CVE-2025-21389 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2026-02-13 | N/A | 7.5 HIGH |
| Uncontrolled resource consumption in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to deny service over a network. | |||||
| CVE-2025-21300 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2026-02-13 | N/A | 7.5 HIGH |
| Windows Universal Plug and Play (UPnP) Device Host Denial of Service Vulnerability | |||||
| CVE-2026-22228 | 1 Tp-link | 2 Archer Be230, Archer Be230 Firmware | 2026-02-13 | N/A | 4.9 MEDIUM |
| An authenticated user with high privileges may trigger a denial‑of‑service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Restoring such a file can cause the device to become unresponsive, requiring a reboot to restore normal operation. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | |||||
| CVE-2025-46304 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2026-02-13 | N/A | 5.7 MEDIUM |
| The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. A malicious HID device may cause an unexpected process crash. | |||||
| CVE-2025-37161 | 1 Arubanetworks | 1 Arubaos | 2026-02-13 | N/A | 7.5 HIGH |
| A vulnerability in the web-based management interface of affected products could allow an unauthenticated remote attacker to cause a denial of service. Successful exploitation could allow an attacker to crash the system, preventing it from rebooting without manual intervention and disrupting network operations. | |||||
| CVE-2025-38501 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2026-02-13 | N/A | 5.5 MEDIUM |
| In the Linux kernel, the following vulnerability has been resolved: ksmbd: limit repeated connections from clients with the same IP Repeated connections from clients with the same IP address may exhaust the max connections and prevent other normal client connections. This patch limit repeated connections from clients with the same IP. | |||||
| CVE-2026-23864 | 1 Facebook | 1 React | 2026-02-13 | N/A | 7.5 HIGH |
| Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components. | |||||
| CVE-2025-59471 | 1 Vercel | 1 Next.js | 2026-02-13 | N/A | 5.9 MEDIUM |
| A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications. | |||||
| CVE-2026-20650 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2026-02-13 | N/A | 7.5 HIGH |
| A denial-of-service issue was addressed with improved validation. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Bluetooth packets. | |||||
| CVE-2026-20652 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2026-02-13 | N/A | 7.5 HIGH |
| The issue was addressed with improved memory handling. This issue is fixed in macOS Tahoe 26.3, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3, Safari 26.3. A remote attacker may be able to cause a denial-of-service. | |||||
| CVE-2025-62854 | 1 Qnap | 1 File Station | 2026-02-12 | N/A | 6.5 MEDIUM |
| An uncontrolled resource consumption vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5190 and later | |||||
| CVE-2025-54149 | 1 Qnap | 1 Qsync Central | 2026-02-12 | N/A | 5.5 MEDIUM |
| An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a local attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later | |||||
| CVE-2025-54150 | 1 Qnap | 1 Qsync Central | 2026-02-12 | N/A | 5.5 MEDIUM |
| An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a local attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later | |||||
| CVE-2025-54151 | 1 Qnap | 1 Qsync Central | 2026-02-12 | N/A | 5.5 MEDIUM |
| An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a local attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later | |||||
| CVE-2025-67133 | 1 Heromotocorp | 2 Vida V1 Pro, Vida V1 Pro Firmware | 2026-02-10 | N/A | 7.5 HIGH |
| An issue in Hero Motocorp Vida V1 Pro 2.0.7 allows a local attacker to cause a denial of service via the BLE component | |||||
| CVE-2025-13836 | 1 Python | 1 Python | 2026-02-10 | N/A | 7.5 HIGH |
| When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS. | |||||
| CVE-2026-25762 | 2026-02-09 | N/A | 7.5 HIGH | ||
| AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination. This issue has been patched in versions 10.1.3 and 11.0.0-next.9. | |||||
| CVE-2025-47270 | 2026-02-06 | N/A | 7.5 HIGH | ||
| nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. The `nimiq-network-libp2p` subcrate of nimiq/core-rs-albatross is vulnerable to a Denial of Service (DoS) attack due to uncontrolled memory allocation. Specifically, the implementation of the `Discovery` network message handling allocates a buffer based on a length value provided by the peer, without enforcing an upper bound. Since this length is a `u32`, a peer can trigger allocations of up to 4 GB, potentially leading to memory exhaustion and node crashes. As Discovery messages are regularly exchanged for peer discovery, this vulnerability can be exploited repeatedly. The patch for this vulnerability is formally released as part of v1.1.0. The patch implements a limit to the discovery message size of 1 MB and also resizes the message buffer size incrementally as the data is read. No known workarounds are available. | |||||
| CVE-2026-21452 | 1 Msgpack | 1 Messagepack | 2026-02-05 | N/A | 7.5 HIGH |
| MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. The vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems. Version 0.9.11 fixes the vulnerability. | |||||