VYPR

CWE-407

Inefficient Algorithmic Complexity

ClassIncompleteLikelihood: Low

Description

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (67)

page 2 of 4
  • CVE-2026-40164HigApr 14, 2026
    risk 0.42cvss 7.5epss 0.00

    jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By…

  • CVE-2026-34827HigApr 2, 2026
    risk 0.42cvss 7.5epss 0.00

    Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches…

  • CVE-2026-34573HigMar 31, 2026
    risk 0.42cvss 7.5epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary…

  • CVE-2025-62727HigOct 28, 2025
    risk 0.42cvss 7.5epss 0.01

    Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This…

  • CVE-2026-53539higJun 15, 2026
    risk 0.38cvss epss 0.00

    ### Summary When parsing `application/x-www-form-urlencoded` bodies, `QuerystringParser` located the field separator with a two step lookup: it first scanned the entire remaining buffer for `&`, and only when no `&` existed anywhere ahead did it fall back to scanning for `;`.…

  • CVE-2024-29916MedMar 21, 2024
    risk 0.36cvss 5.6epss 0.00

    The dormakaba Saflok system before the November 2023 software update allows an attacker to unlock arbitrary doors at a property via forged keycards, if the attacker has obtained one active or expired keycard for the specific property, aka the "Unsaflok" issue. This occurs, in…

  • CVE-2026-35599MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval…

  • CVE-2026-33033MedApr 7, 2026
    risk 0.35cvss 6.5epss 0.01

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported…

  • CVE-2024-12243MedFeb 10, 2025
    risk 0.35cvss 5.3epss 0.01

    A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to…

  • CVE-2026-45664MedJun 10, 2026
    risk 0.34cvss 5.3epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in…

  • CVE-2026-3276MedJun 3, 2026
    risk 0.34cvss epss 0.00

    unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

  • CVE-2024-12133MedFeb 10, 2025
    risk 0.34cvss 5.3epss 0.01

    A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially…

  • CVE-2026-8594MedMay 30, 2026
    risk 0.33cvss 6.2epss 0.00

    Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters. Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the…

  • CVE-2026-44390MedMay 20, 2026
    risk 0.27cvss 5.3epss 0.00

    NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root…

  • CVE-2026-42923MedMay 20, 2026
    risk 0.27cvss 5.3epss 0.00

    NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of…

  • CVE-2026-34230MedApr 2, 2026
    risk 0.27cvss 5.3epss 0.00

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by…

  • CVE-2025-14831MedFeb 9, 2026
    risk 0.27cvss 5.3epss 0.01

    A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

  • CVE-2025-29908MedMar 31, 2025
    risk 0.27cvss 5.3epss 0.01

    Netty QUIC codec is a QUIC codec for netty which makes use of quiche. An issue was discovered in the codec. A hash collision vulnerability (in the hash map used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by…

  • CVE-2025-24947MedFeb 20, 2025
    risk 0.27cvss 5.3epss 0.01

    A hash collision vulnerability (in the hash table used to manage connections) in LSQUIC (aka LiteSpeed QUIC) before 4.2.0 allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs…

  • CVE-2025-24946MedFeb 20, 2025
    risk 0.27cvss 5.3epss 0.01

    The hash table used to manage connections in picoquic before b80fd3f uses a weak hash function, allowing remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs).