CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 55 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-35034 | Med | 0.35 | 6.5 | 0.00 | Apr 14, 2026 | Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authenticated user can create groups with names of unlimited size due to insufficient… | ||
| CVE-2026-33459 | Med | 0.35 | 6.5 | 0.00 | Apr 8, 2026 | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple… | ||
| CVE-2026-35441 | Med | 0.35 | 6.5 | 0.00 | Apr 6, 2026 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to… | ||
| CVE-2026-33750 | Med | 0.35 | 6.5 | 0.00 | Mar 27, 2026 | The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the… | ||
| CVE-2026-28375 | Med | 0.35 | 6.5 | 0.00 | Mar 27, 2026 | A testdata data-source can be used to trigger out-of-memory crashes in Grafana. | ||
| CVE-2026-27879 | Med | 0.35 | 6.5 | 0.00 | Mar 27, 2026 | A resample query can be used to trigger out-of-memory crashes in Grafana. | ||
| CVE-2026-33541 | Med | 0.35 | 6.5 | 0.00 | Mar 26, 2026 | TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing… | ||
| CVE-2026-33375 | Med | 0.35 | 6.5 | 0.00 | Mar 26, 2026 | The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container. | ||
| CVE-2025-68971 | Med | 0.35 | 6.5 | 0.00 | Mar 16, 2026 | In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release). | ||
| CVE-2026-23940 | Med | 0.35 | 6.5 | 0.00 | Mar 13, 2026 | Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result… | ||
| CVE-2025-27100 | Med | 0.35 | 6.5 | 0.00 | Feb 21, 2025 | lakeFS is an open-source tool that transforms your object storage into a Git-like repository. In affected versions an authenticated user can crash lakeFS by exhausting server memory. This is an authenticated denial-of-service issue. This problem has been patched in version… | ||
| CVE-2025-25186 | Med | 0.35 | 6.5 | 0.01 | Feb 10, 2025 | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time… | ||
| CVE-2024-57082 | Med | 0.35 | 6.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.createUploader function of @rpldy/uploader v1.8.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | ||
| CVE-2024-43806 | Med | 0.35 | 6.5 | 0.00 | Aug 26, 2024 | Rustix is a set of safe Rust bindings to POSIX-ish APIs. When using `rustix::fs::Dir` using the `linux_raw` backend, it's possible for the iterator to "get stuck" when an IO error is encountered. Combined with a memory over-allocation issue in `rustix::fs::Dir::read_more`, this… | ||
| CVE-2024-22588 | — | Med | 0.35 | 6.5 | 0.00 | May 24, 2024 | Kwik commit 745fd4e2 does not discard unused encryption keys. | |
| CVE-2024-25143 | Med | 0.35 | 6.5 | 0.01 | Feb 7, 2024 | The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which… | ||
| CVE-2024-24752 | — | Med | 0.35 | 6.5 | 0.01 | Feb 1, 2024 | Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is… | |
| CVE-2023-49295 | Med | 0.35 | 6.4 | 0.01 | Jan 10, 2024 | quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE… | ||
| CVE-2023-6476 | Med | 0.35 | 6.5 | 0.01 | Jan 9, 2024 | A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node. | ||
| CVE-2023-46131 | — | Med | 0.35 | 6.5 | 0.01 | Dec 21, 2023 | Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in… |
- risk 0.35cvss 6.5epss 0.00
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authenticated user can create groups with names of unlimited size due to insufficient…
- risk 0.35cvss 6.5epss 0.00
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple…
- risk 0.35cvss 6.5epss 0.00
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to…
- risk 0.35cvss 6.5epss 0.00
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the…
- risk 0.35cvss 6.5epss 0.00
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
- risk 0.35cvss 6.5epss 0.00
A resample query can be used to trigger out-of-memory crashes in Grafana.
- risk 0.35cvss 6.5epss 0.00
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing…
- risk 0.35cvss 6.5epss 0.00
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
- risk 0.35cvss 6.5epss 0.00
In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release).
- risk 0.35cvss 6.5epss 0.00
Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result…
- risk 0.35cvss 6.5epss 0.00
lakeFS is an open-source tool that transforms your object storage into a Git-like repository. In affected versions an authenticated user can crash lakeFS by exhausting server memory. This is an authenticated denial-of-service issue. This problem has been patched in version…
- risk 0.35cvss 6.5epss 0.01
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time…
- risk 0.35cvss 6.5epss 0.00
A prototype pollution in the lib.createUploader function of @rpldy/uploader v1.8.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.35cvss 6.5epss 0.00
Rustix is a set of safe Rust bindings to POSIX-ish APIs. When using `rustix::fs::Dir` using the `linux_raw` backend, it's possible for the iterator to "get stuck" when an IO error is encountered. Combined with a memory over-allocation issue in `rustix::fs::Dir::read_more`, this…
- risk 0.35cvss 6.5epss 0.00
Kwik commit 745fd4e2 does not discard unused encryption keys.
- risk 0.35cvss 6.5epss 0.01
The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which…
- risk 0.35cvss 6.5epss 0.01
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is…
- risk 0.35cvss 6.4epss 0.01
quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE…
- risk 0.35cvss 6.5epss 0.01
A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.
- risk 0.35cvss 6.5epss 0.01
Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in…