By weakness (CWE)
CWE-400: related vulnerabilities
CVEs classified under CWE-400. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
25 published vulnerabilities
- CVE-2026-37234HIGH 8.2
FlexRIC v2.0.0 contains a resource management flaw in how it handles SCTP (Stream Control Transmission Protocol) connections to the RIC (Radio Interface Controller). An attacker can abuse the E42 setup protocol to register multiple application IDs (xapp_ids) over a single connection. When that connection is closed, only the first registered application's resources are cleaned up; the others remain as orphaned entries in system memory. Over time or through repeated connections, this allows an attacker to accumulate stale subscriptions and exhaust available resources, potentially corrupting the internal state of the intelligent application platform (iApp).
- CVE-2026-35277HIGH 8.1
Oracle REST Data Services contains a flaw that allows authenticated users with basic network access to read and modify sensitive data they shouldn't be able to access. An attacker with a low-privilege account can exploit this remotely without user interaction, potentially accessing, changing, or deleting critical information across the service. This is a significant risk because it bypasses normal data access controls.
- CVE-2026-35266HIGH 7.9
Oracle REST Data Services contains a vulnerability that allows an attacker with low-level network access and user credentials to manipulate critical data or disrupt service availability. The attack requires tricking another user into taking action, making it moderately difficult to exploit in practice. Versions 24.2.0 through 26.1.0 are affected. Success can lead to unauthorized access, modification, or deletion of sensitive information, as well as partial service outages.
- CVE-2024-14036HIGH 7.5
Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service flaw affecting hospital networks. An attacker on the same network can send specially crafted, unencrypted discovery messages that force the affected system to consume excessive CPU resources. Once the system is overloaded, it stops processing legitimate discovery messages, disrupting device communication. This requires network access but no authentication.
- CVE-2026-10069HIGH 7.5
A denial-of-service vulnerability exists in Shibby Tomato 1.28's miniupnpd service that allows unauthenticated attackers to exhaust system resources remotely. The flaw resides in an unspecified function within the UPnP daemon and can be triggered without special privileges or user interaction. While Shibby Tomato is no longer maintained (superseded by FreshTomato), organizations still running this legacy firmware remain at risk.
- CVE-2026-42342HIGH 7.5
React Router and Remix applications using Framework Mode are vulnerable to a denial-of-service attack via crafted requests that exploit unbounded path expansion in the __manifest endpoint. An unauthenticated attacker can send specially constructed requests that cause the server to consume excessive resources, slowing response times or rendering the application unavailable to legitimate users. This does not affect applications built with Declarative Mode or Data Mode routing patterns.
- CVE-2019-25721MEDIUM 6.5
Dräger Infinity M300 wearable patient monitors running software version VG2.3.1 or earlier are vulnerable to network-based denial-of-service attacks. An attacker positioned on the same network can send specially crafted requests that force the device to reboot repeatedly, effectively taking the monitor offline and disrupting patient monitoring. This is a network-adjacent threat that requires no authentication or user interaction to trigger.
- CVE-2019-25724MEDIUM 6.5
Dräger Infinity M300 wearable patient monitors running software version VG2.x and earlier are vulnerable to a network-based denial-of-service attack that forces repeated device reboots. An attacker positioned on the hospital network or Infinity Network can trigger these reboots until the monitor enters a failed state, requiring manual intervention to restore function. During this attack window, wireless connectivity drops, patient monitoring capability is interrupted, and alarm functions become unavailable—creating a gap in real-time clinical visibility that could delay detection of patient deterioration.
- CVE-2026-33464MEDIUM 6.5
Kibana contains a denial-of-service vulnerability that allows low-privileged authenticated users to crash the service by sending an oversized request to an internal API. When exploited, Kibana becomes unresponsive to all users until manually restarted or the process recovers. This is a resource exhaustion attack that requires valid credentials but no special privileges.
- CVE-2026-36605MEDIUM 6.5
Mercusys AC12G (EU) V1 routers running firmware version AC12G(EU)_V1_200909 contain a denial-of-service vulnerability where an attacker on the local network can send a small number of specially crafted incomplete HTTP requests to crash the router. The device becomes unresponsive and requires a physical power cycle to restore function. This affects network availability for all connected devices.
- CVE-2026-42073MEDIUM 6.5
OpenClaude, an open-source command-line tool for interacting with cloud and local AI models, has a flaw in how it handles user login. When you authenticate using OAuth, the software runs a temporary web server locally to catch the login response. To prevent attackers from hijacking this process, the server checks a security token called a 'state parameter.' However, due to a bug in how the code checks this token, an attacker can bypass the security check entirely and crash the server without even knowing what the token is. This has been fixed in version 0.5.1 and later.
- CVE-2026-42399MEDIUM 6.5
A vulnerability in Kibana allows authenticated users with basic access to crash the application by uploading specially crafted visualizations. An attacker submits a Timelion visualization with deeply nested function calls that causes Kibana to allocate memory without limit, eventually consuming all available RAM and taking the service offline for everyone. This is a denial-of-service attack that requires valid credentials but no administrative privileges.
- CVE-2026-42400MEDIUM 6.5
CVE-2026-42400 is a denial-of-service vulnerability in Kibana that allows an authenticated user to crash or freeze a Kibana instance by sending a malicious compressed request. The vulnerability exists because Kibana processes and decompresses incoming requests before fully validating user permissions, meaning an attacker can consume excessive memory and CPU resources on the server before authorization checks can stop them. While this requires valid credentials to exploit, the impact is straightforward: a Kibana instance can become unresponsive or crash entirely, disrupting visibility and analysis capabilities that teams depend on.
- CVE-2025-48648MEDIUM 5.5
CVE-2025-48648 is a denial-of-service vulnerability in Android's NotificationManagerService that allows a local attacker to exhaust system resources and crash the notification service. An attacker with basic user privileges can trigger this flaw without user interaction, causing persistent disruption to the device's notification functionality.
- CVE-2026-0042MEDIUM 5.5
CVE-2026-0042 is a resource exhaustion vulnerability in Google Android's UBSan runtime component that allows a local attacker to cause a persistent denial of service. An attacker with basic user-level access can trigger the flaw without user interaction, exhausting system resources and rendering the device unavailable. The vulnerability does not enable unauthorized access or data theft—only availability disruption.
- CVE-2026-0069MEDIUM 5.5
CVE-2026-0069 is a resource exhaustion vulnerability in Android's signature verification code that allows a local attacker to crash the system without needing special privileges or user interaction. An attacker with basic local access can trigger excessive resource consumption in the APK checksum verification process, causing a denial of service.
- CVE-2026-0074MEDIUM 5.5
CVE-2026-0074 is a denial-of-service vulnerability in Android's LauncherProcessImageListener component. An attacker with local system access can exhaust device resources through the getPreferredSize function, causing the launcher process to become unresponsive or crash. No special privileges or user interaction are required to trigger the flaw, making it a concern for multi-user devices and environments where untrusted code may run locally.
- CVE-2026-10224MEDIUM 5.3
A vulnerability in NousResearch's hermes-agent allows an attacker to consume resources on a server by sending specially crafted requests to a webhook endpoint. The vulnerability affects versions up to 2026.4.30 and can be triggered remotely without authentication. While the technical complexity is low, the impact is limited to availability rather than data breach or system compromise. Public exploit information exists, though NousResearch has not responded to early vendor disclosure attempts.
- CVE-2026-10650MEDIUM 5.3
A flaw in libwebsockets (a widely-used WebSocket and networking library) allows attackers to exhaust server resources by manipulating a specific message length parameter in the SSH protocol handler. The vulnerability requires network access but no authentication, and an exploit has already been published. This is a denial-of-service issue that can make affected systems unresponsive without compromising data confidentiality or integrity.
- CVE-2026-10156MEDIUM 4.3
Open5GS, a popular open-source 5G core network implementation, contains a denial-of-service vulnerability in versions up to 2.7.7. An authenticated attacker can manipulate how the system manages network function instance information, causing the application to consume excessive resources and become unresponsive. The vulnerability has been publicly disclosed, but a patch is already available. This is a moderate-severity issue requiring prioritization for 5G infrastructure operators and anyone running affected Open5GS deployments.
- CVE-2026-10291MEDIUM 4.3
Enderfga's claw-orchestrator contains a flaw in how it validates regular expressions in the Session Grep Endpoint. An authenticated attacker can supply a maliciously crafted regex pattern that forces excessive CPU consumption, potentially slowing or freezing the service. This is a medium-severity issue affecting versions up to 3.7.0 and is remedied by upgrading to 3.7.1.
- CVE-2026-10691MEDIUM 4.3
A vulnerability in wonderwhy-er DesktopCommanderMCP through version 0.2.38 allows an authenticated user to trigger a denial-of-service condition by crafting malicious search result data that causes inefficient regular expression processing. The flaw is in the search-manager component and can be exploited remotely by any logged-in user. The vendor has released version 0.2.39 with a fix.
- CVE-2026-10692MEDIUM 4.3
A flaw exists in code-index-mcp versions up to 2.14.0 that allows authenticated users to cause performance degradation through specially crafted regular expressions. By submitting a malicious regex pattern to the search_code_advanced function, an attacker can trigger inefficient regex processing that consumes excessive CPU resources, leading to application slowdown or unresponsiveness. This is a denial-of-service weakness that requires login credentials to exploit but does not compromise confidentiality or data integrity.
- CVE-2026-10802MEDIUM 4.3
A resource consumption vulnerability exists in KeystoneJS, an open-source headless CMS and GraphQL API framework. The flaw resides in the GraphQL API endpoint handler and can be exploited by authenticated users to exhaust server resources, potentially causing a denial-of-service condition. The vulnerability affects KeystoneJS versions up to March 19, 2026. Exploitation requires valid credentials but can be performed remotely over the network.
- CVE-2026-10705LOW 3.1
Dask, a Python library for parallel computing and distributed data processing, contains a resource exhaustion vulnerability in its HyperLogLog (approximate distinct count) functionality. An authenticated remote attacker can trigger excessive resource consumption through the nunique_approx function, potentially degrading system availability. The flaw requires significant attack complexity and specific preconditions, making real-world exploitation difficult despite being theoretically possible.