VYPR

CWE-248

Uncaught Exception

BaseDraft

Description

An exception is thrown from a function, but it is not caught.

When an exception is not caught, it may cause the program to crash or expose sensitive information.

Hierarchy (View 1000)

Children

CVEs mapped to this weakness (125)

page 1 of 7
  • CVE-2026-9509HigMay 29, 2026
    risk 0.57cvss epss 0.00

    An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that…

  • CVE-2025-0657HigNov 27, 2025
    risk 0.57cvss epss 0.00

    A weakness in Automated Logic and Carrier i-Vu Gen5 router on driver version drv_gen5_106-01-2380, allows malformed packets to be sent through BACnet MS/TP network causing the devices to enter a fault state. This fault state requires a manual power cycle to return the…

  • CVE-2025-9124HigOct 14, 2025
    risk 0.57cvss epss 0.00

    A denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a crafted CIP unconnected explicit message is sent. This can result in a major non-recoverable fault.

  • CVE-2026-44001HigMay 13, 2026
    risk 0.56cvss 8.6epss 0.00

    vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for…

  • CVE-2025-53620CriJul 9, 2025
    risk 0.53cvss epss 0.00

    @builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit. This…

  • CVE-2026-46689HigJun 10, 2026
    risk 0.50cvss epss 0.00

    Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack…

  • CVE-2026-31812HigMar 10, 2026
    risk 0.50cvss epss 0.00

    Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing…

  • CVE-2025-53366HigJul 4, 2025
    risk 0.50cvss epss 0.06

    The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.9.4, a validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500…

  • CVE-2025-53365HigJul 4, 2025
    risk 0.50cvss epss 0.00

    The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.10.0, if a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the…

  • CVE-2025-48997HigJun 3, 2025
    risk 0.50cvss epss 0.00

    Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field…

  • CVE-2025-43855HigApr 24, 2025
    risk 0.50cvss epss 0.00

    tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any…

  • CVE-2025-24883HigJan 30, 2025
    risk 0.50cvss epss 0.01

    go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.14.13.

  • CVE-2024-20137HigDec 2, 2024
    risk 0.50cvss 7.5epss 0.01

    In wlan driver, there is a possible client disconnection due to improper handling of exceptional conditions. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00384543;…

  • CVE-2018-7852HigMay 22, 2019
    risk 0.50cvss 7.5epss 0.04

    A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when an invalid private command parameter is sent to the controller over Modbus.

  • CVE-2026-37554HigMay 1, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on…

  • CVE-2026-24175HigApr 7, 2026
    risk 0.49cvss 7.5epss 0.00

    NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. A successful exploit of this vulnerability might lead to denial of service.

  • CVE-2026-34752HigApr 2, 2026
    risk 0.49cvss 7.5epss 0.00

    Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.

  • CVE-2026-1507HigFeb 10, 2026
    risk 0.49cvss 7.5epss 0.00

    The affected products are vulnerable to an uncaught exception that could allow an unauthenticated attacker to remotely crash core PI services resulting in a denial-of-service.

  • CVE-2025-23166HigMay 19, 2025
    risk 0.49cvss 7.5epss 0.01

    The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism…

  • CVE-2024-43357HigAug 15, 2024
    risk 0.49cvss 8.6epss 0.01

    ECMA-262 is the language specification for the scripting language ECMAScript. A problem in the ECMAScript (JavaScript) specification of async generators, introduced by a May 2021 spec refactor, may lead to mis-implementation in a way that could present as a security…