Total
410 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5302 | 2026-04-15 | N/A | 8.6 HIGH | ||
| A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth limit. This results in high resource consumption and potential crashes of the Python process. The issue is resolved in version 0.12.38. | |||||
| CVE-2025-70957 | 2026-04-15 | N/A | 7.5 HIGH | ||
| A Denial of Service (DoS) vulnerability was discovered in the TON Lite Server before v2024.09. The vulnerability arises from the handling of external arguments passed to locally executed "get methods." An attacker can inject a constructed Continuation object (an internal TVM type) that is normally restricted within the VM. When the TVM executes this malicious continuation, it consumes excessive CPU resources while accruing disproportionately low virtual gas costs. This "free" computation allows an attacker to monopolize the Lite Server's processing power, significantly reducing its throughput and causing a denial of service for legitimate users acting through the gateway. | |||||
| CVE-2025-30193 | 2026-04-15 | N/A | 7.5 HIGH | ||
| In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.10 version. A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPerConnection setting. We would like to thank Renaud Allard for bringing this issue to our attention. | |||||
| CVE-2025-67899 | 2026-04-15 | N/A | 2.9 LOW | ||
| uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas. | |||||
| CVE-2023-51803 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "<?php ?>" substring. | |||||
| CVE-2024-58103 | 2026-04-15 | N/A | 5.8 MEDIUM | ||
| Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt. | |||||
| CVE-2021-41737 | 2026-04-15 | N/A | 7.5 HIGH | ||
| In Faust 2.23.1, an input file with the lines "// r visualisation tCst" and "//process = +: L: abM-^Q;" and "process = route(3333333333333333333,2,1,2,3,1) : *;" leads to stack consumption. | |||||
| CVE-2024-4340 | 2026-04-15 | N/A | 7.5 HIGH | ||
| Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError. | |||||
| CVE-2024-34158 | 2026-04-15 | N/A | 7.5 HIGH | ||
| Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | |||||
| CVE-2025-10728 | 2026-04-15 | N/A | N/A | ||
| When the module renders a Svg file that contains a <pattern> element, it might end up rendering it recursively leading to stack overflow DoS | |||||
| CVE-2025-53864 | 2026-04-15 | N/A | 5.8 MEDIUM | ||
| Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson. | |||||
| CVE-2025-61766 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to version 1.0.0, infinite recursion can occur if a user queries a bucket using the `!=` comparator. This will result in PHP's call stack limit exceeding, and/or increased memory consumption, potentially leading to a denial of service. Version 1.0.0 contains a patch for the issue. | |||||
| CVE-2024-54731 | 2026-04-15 | N/A | 4.0 MEDIUM | ||
| cpdf through 2.8 allows stack consumption via a crafted PDF document. | |||||
| CVE-2025-24302 | 2026-04-15 | N/A | 6.7 MEDIUM | ||
| Uncontrolled recursion for some TinyCBOR libraries maintained by Intel(R) before version 0.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2025-59364 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| The express-xss-sanitizer (aka Express XSS Sanitizer) package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body. | |||||
| CVE-2024-5971 | 2026-04-15 | N/A | 7.5 HIGH | ||
| A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios. | |||||
| CVE-2025-43718 | 2026-04-15 | N/A | 2.9 LOW | ||
| Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor). | |||||
| CVE-2025-20025 | 2026-04-15 | N/A | 4.4 MEDIUM | ||
| Uncontrolled recursion for some TinyCBOR libraries maintained by Intel(R) before version 0.6.1 may allow an authenticated user to potentially enable denial of service via local access. | |||||
| CVE-2024-8176 | 2026-04-15 | N/A | 7.5 HIGH | ||
| A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. | |||||
| CVE-2024-49363 | 2026-04-15 | N/A | 7.4 HIGH | ||
| Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request. Leading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server. | |||||