Total
1495 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-58754 | 1 Axios | 1 Axios | 2026-01-16 | N/A | 7.5 HIGH |
| Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue. | |||||
| CVE-2025-65015 | 1 Hsiaoming | 1 Joserfc | 2026-01-15 | N/A | 7.5 HIGH |
| joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. In situations where a misconfigured — or entirely absent — production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it. This issue has been patched in versions 1.3.5 and 1.4.2. | |||||
| CVE-2025-69228 | 1 Aiohttp | 1 Aiohttp | 2026-01-14 | N/A | 7.5 HIGH |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3. | |||||
| CVE-2025-69223 | 1 Aiohttp | 1 Aiohttp | 2026-01-14 | N/A | 7.5 HIGH |
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3. | |||||
| CVE-2025-46687 | 2 Bellard, Quickjs-ng | 2 Quickjs, Quickjs | 2026-01-14 | N/A | 5.6 MEDIUM |
| quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected. | |||||
| CVE-2024-51428 | 1 Espressif | 1 Esp-idf | 2026-01-14 | N/A | 7.5 HIGH |
| An issue in Espressif Esp idf v5.3.0 allows attackers to cause a Denial of Service (DoS) via a crafted data channel packet. | |||||
| CVE-2025-50334 | 1 Technitium | 1 Dnsserver | 2026-01-12 | N/A | 7.5 HIGH |
| An issue in Technitium DNS Server v.13.5 allows a remote attacker to cause a denial of service via the rate-limiting component | |||||
| CVE-2025-68456 | 1 Craftcms | 1 Craft Cms | 2026-01-12 | N/A | 9.1 CRITICAL |
| Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes. | |||||
| CVE-2025-64422 | 1 Coollabs | 1 Coolify | 2026-01-12 | N/A | 4.3 MEDIUM |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables unlimited credential stuffing and brute-force attempts against user and admin accounts. As of time of publication, it is unclear if a patch is available. | |||||
| CVE-2025-9784 | 1 Redhat | 8 Build Of Apache Camel For Spring Boot, Enterprise Linux, Fuse and 5 more | 2026-01-08 | N/A | 7.5 HIGH |
| A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS). | |||||
| CVE-2025-14299 | 1 Tp-link | 2 Tapo C200, Tapo C200 Firmware | 2026-01-08 | N/A | 6.5 MEDIUM |
| The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS). | |||||
| CVE-2020-36907 | 2026-01-08 | N/A | 7.5 HIGH | ||
| Aerohive HiveOS contains a denial of service vulnerability in the NetConfig UI that allows unauthenticated attackers to render the web interface unusable. Attackers can send a crafted HTTP request to the action.php5 script with specific parameters to trigger a 5-minute service disruption. | |||||
| CVE-2025-15474 | 2026-01-08 | N/A | N/A | ||
| AuntyFey Smart Combination Lock firmware versions as of 2025-12-24 contain a vulnerability that allows an unauthenticated attacker within Bluetooth Low Energy (BLE) range to cause a denial of service by repeatedly initiating BLE connections. Sustained connection attempts interrupt keypad authentication input and repeatedly force the device into lockout states, preventing legitimate users from unlocking the device. | |||||
| CVE-2025-68272 | 1 Signalk | 1 Signal K Server | 2026-01-06 | N/A | 7.5 HIGH |
| Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. Version 2.19.0 fixes the issue. | |||||
| CVE-2025-47208 | 1 Qnap | 2 Qts, Quts Hero | 2026-01-05 | N/A | 6.5 MEDIUM |
| An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later | |||||
| CVE-2025-57705 | 1 Qnap | 2 Qts, Quts Hero | 2026-01-05 | N/A | 4.9 MEDIUM |
| An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | |||||
| CVE-2025-44652 | 1 Netgear | 2 Rax30, Rax30 Firmware | 2026-01-02 | N/A | 7.5 HIGH |
| In Netgear RAX30 V1.0.10.94_3, the USERLIMIT_GLOBAL option is set to 0 in multiple bftpd-related configuration files. This can cause DoS attacks when unlimited users are connected. | |||||
| CVE-2025-68148 | 1 Freshrss | 1 Freshrss | 2025-12-31 | N/A | 4.3 MEDIUM |
| FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0. | |||||
| CVE-2022-50799 | 2025-12-31 | N/A | 7.5 HIGH | ||
| Fetch FTP Client 5.8.2 contains a denial of service vulnerability that allows attackers to trigger 100% CPU consumption by sending long server responses. Attackers can send specially crafted FTP server responses exceeding 2K bytes to cause excessive resource utilization and potentially crash the application. | |||||
| CVE-2025-32952 | 1 Haulmont | 4 Cuba Platform, Cuba Rest Api, Jmix Framework and 1 more | 2025-12-31 | N/A | 6.5 MEDIUM |
| Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website. | |||||