By weakness (CWE)

CWE-248: related vulnerabilities

CVEs classified under CWE-248. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

3 published vulnerabilities

  • CVE-2026-45685HIGH 7.5

    OpenTelemetry eBPF Instrumentation versions 0.1.0 through 0.8.x contain a denial-of-service vulnerability in their MongoDB wire protocol parser. An attacker on the network can send specially crafted MongoDB messages to crash the telemetry agent without needing authentication or user interaction. When the malformed message reaches the parser, it triggers an unhandled panic that terminates telemetry collection for the affected process or entire node. This is a remote, unauthenticated attack that requires only network access to the listening port.

  • CVE-2026-45676MEDIUM 5.5

    OpenTelemetry eBPF Instrumentation, a tool that uses eBPF technology to gather observability data, contains a flaw in how it parses ELF executable files. An attacker with local access can craft a malicious executable that tricks the instrumentation agent into reading invalid memory locations or accessing incorrect parts of files, causing the agent to crash. This prevents the agent from operating until it's restarted, which could disrupt monitoring visibility in affected environments. The issue affects all versions prior to 0.9.0.

  • CVE-2026-45554MEDIUM 5.3

    NiceGUI, a Python UI framework built on FastAPI, contains a vulnerability in how it handles requests for static assets. Two specific routes can be manipulated to point to directories instead of files. When this happens, the framework throws an error that gets logged with full technical details—and these routes don't require authentication. An attacker can repeatedly trigger these errors to flood the server logs, potentially filling up disk space or overwhelming logging infrastructure. This affects NiceGUI versions before 3.12.0 and has been fixed in version 3.12.0 and later.