Total
1554 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-68659 | 1 Discourse | 1 Discourse | 2026-01-30 | N/A | 4.3 MEDIUM |
| Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | |||||
| CVE-2024-34703 | 2026-01-30 | N/A | 7.5 HIGH | ||
| Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan. | |||||
| CVE-2026-22258 | 1 Oisf | 1 Suricata | 2026-01-30 | N/A | 7.5 HIGH |
| Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB. | |||||
| CVE-2026-22259 | 1 Oisf | 1 Suricata | 2026-01-30 | N/A | 7.5 HIGH |
| Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and running out of memory, potentially leading to it getting killed by the OOM killer. Versions 8.0.3 or 7.0.14 contain a patch. As a workaround, disable the DNP3 parser in the suricata yaml (disabled by default). | |||||
| CVE-2025-13751 | 2 Microsoft, Openvpn | 2 Windows, Openvpn | 2026-01-30 | N/A | 5.5 MEDIUM |
| Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service. | |||||
| CVE-2021-47791 | 1 Smartftp | 1 Smartftp | 2026-01-30 | N/A | 7.5 HIGH |
| SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities that allow attackers to crash the application through specific input manipulation. Attackers can trigger crashes by entering malformed paths, using invalid IP addresses, or clearing connection history in the client's interface. | |||||
| CVE-2021-47793 | 1 Telegram | 1 Telegram Desktop | 2026-01-30 | N/A | 7.5 HIGH |
| Telegram Desktop 2.9.2 contains a denial of service vulnerability that allows attackers to crash the application by sending an oversized message payload. Attackers can generate a 9 million byte buffer and paste it into the messaging interface to trigger an application crash. | |||||
| CVE-2025-27795 | 1 Graphicsmagick | 1 Graphicsmagick | 2026-01-29 | N/A | 4.3 MEDIUM |
| ReadJXLImage in JXL in GraphicsMagick before 1.3.46 lacks image dimension resource limits. | |||||
| CVE-2020-36943 | 2026-01-29 | N/A | 7.5 HIGH | ||
| aSc TimeTables 2021.6.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting subject title fields with excessive data. Attackers can generate a 10,000-character buffer and paste it into the subject title to trigger application instability and potential crash. | |||||
| CVE-2020-36950 | 2026-01-29 | N/A | 6.5 MEDIUM | ||
| Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the 'range' parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server. | |||||
| CVE-2025-55102 | 2026-01-29 | N/A | N/A | ||
| A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of "Packet Too Big" with more than 15 different source address can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2020-36946 | 2026-01-29 | N/A | 7.5 HIGH | ||
| SyncBreeze 10.0.28 contains a denial of service vulnerability in the login endpoint that allows remote attackers to crash the service. Attackers can send an oversized payload in the login request to overwhelm the application and potentially disrupt service availability. | |||||
| CVE-2025-61723 | 1 Golang | 1 Go | 2026-01-29 | N/A | 7.5 HIGH |
| The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. | |||||
| CVE-2025-61724 | 1 Golang | 1 Go | 2026-01-29 | N/A | 5.3 MEDIUM |
| The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. | |||||
| CVE-2025-59089 | 2026-01-28 | N/A | 5.9 MEDIUM | ||
| If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients. | |||||
| CVE-2026-22773 | 1 Vllm | 1 Vllm | 2026-01-27 | N/A | 6.5 MEDIUM |
| vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0. | |||||
| CVE-2025-58578 | 1 Sick | 1 Enterprise Analytics | 2026-01-27 | N/A | 3.8 LOW |
| A user with the appropriate authorization can create any number of user accounts via an API endpoint using a POST request. There are no quotas, checking mechanisms or restrictions to limit the creation. | |||||
| CVE-2025-58582 | 1 Sick | 1 Enterprise Analytics | 2026-01-27 | N/A | 5.3 MEDIUM |
| If a user tries to login but the provided credentials are incorrect a log is created. The data for this POST requests is not validated and it’s possible to send giant payloads which are then logged. | |||||
| CVE-2025-14525 | 2026-01-27 | N/A | 6.4 MEDIUM | ||
| A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking changes to the Virtual Machine Instance (VMI). This allows the VM user to restrict the VM administrator's ability to manage the VM, leading to a denial of service for administrative operations. | |||||
| CVE-2026-1102 | 1 Gitlab | 1 Gitlab | 2026-01-26 | N/A | 5.3 MEDIUM |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests. | |||||