VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 24 of 93
  • CVE-2026-40980MedApr 28, 2026
    risk 0.42cvss 6.5epss 0.00

    In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

  • CVE-2026-41680HigApr 24, 2026
    risk 0.42cvss 7.5epss 0.00

    Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an…

  • CVE-2026-21728HigApr 24, 2026
    risk 0.42cvss 7.5epss 0.01

    Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

  • CVE-2026-41324HigApr 24, 2026
    risk 0.42cvss 7.5epss 0.00

    basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing…

  • CVE-2026-41135HigApr 22, 2026
    risk 0.42cvss 7.5epss 0.01

    free5GC UDR is the Policy Control Function (PCF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. A memory leak vulnerability in versions prior to 1.4.3 allows any unauthenticated attacker with network access to the PCF SBI interface to cause…

  • CVE-2026-34308MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: JSON). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols…

  • CVE-2026-34303MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple…

  • CVE-2026-34281MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11.4. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise…

  • CVE-2026-34276MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via…

  • CVE-2026-34272MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.…

  • CVE-2026-34271MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via…

  • CVE-2026-34270MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication Plugin). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via…

  • CVE-2026-22017MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple…

  • CVE-2026-22009MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple…

  • CVE-2026-39320HigApr 21, 2026
    risk 0.42cvss 7.5epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex…

  • CVE-2026-40481HigApr 17, 2026
    risk 0.42cvss 7.5epss 0.00

    monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to…

  • CVE-2026-40303HigApr 17, 2026
    risk 0.42cvss 7.5epss 0.00

    zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is…

  • CVE-2026-40192HigApr 15, 2026
    risk 0.42cvss 7.5epss 0.01

    Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption,…

  • CVE-2026-33116HigApr 14, 2026
    risk 0.42cvss 7.5epss 0.02

    Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network.

  • CVE-2026-26171HigApr 14, 2026
    risk 0.42cvss 7.5epss 0.02

    Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.