By weakness (CWE)
CWE-404: related vulnerabilities
CVEs classified under CWE-404. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
18 published vulnerabilities
- CVE-2026-10069HIGH 7.5
A denial-of-service vulnerability exists in Shibby Tomato 1.28's miniupnpd service that allows unauthenticated attackers to exhaust system resources remotely. The flaw resides in an unspecified function within the UPnP daemon and can be triggered without special privileges or user interaction. While Shibby Tomato is no longer maintained (superseded by FreshTomato), organizations still running this legacy firmware remain at risk.
- CVE-2026-10190MEDIUM 6.5
A remotely exploitable vulnerability exists in Tenda W12 version 3.0.0.7(4763) that allows authenticated users to crash the device's web management interface. By sending a specially crafted request to the web timeout configuration function, an attacker with valid credentials can trigger a denial-of-service condition, rendering the device's management portal unavailable until it is restarted. Public exploit code is available, increasing the practical risk.
- CVE-2026-10224MEDIUM 5.3
A vulnerability in NousResearch's hermes-agent allows an attacker to consume resources on a server by sending specially crafted requests to a webhook endpoint. The vulnerability affects versions up to 2026.4.30 and can be triggered remotely without authentication. While the technical complexity is low, the impact is limited to availability rather than data breach or system compromise. Public exploit information exists, though NousResearch has not responded to early vendor disclosure attempts.
- CVE-2026-10650MEDIUM 5.3
A flaw in libwebsockets (a widely-used WebSocket and networking library) allows attackers to exhaust server resources by manipulating a specific message length parameter in the SSH protocol handler. The vulnerability requires network access but no authentication, and an exploit has already been published. This is a denial-of-service issue that can make affected systems unresponsive without compromising data confidentiality or integrity.
- CVE-2026-10113MEDIUM 4.3
Open5GS, an open-source 5G core network software suite, contains a vulnerability in its Shared NF-profile Parser component that can be exploited to disrupt service availability. An attacker with network access and valid authentication credentials can trigger a denial of service condition by manipulating the NF-profile parsing logic. The vulnerability affects Open5GS versions up to 2.7.7, and public exploit information is available, increasing the risk of active exploitation.
- CVE-2026-10115MEDIUM 4.3
Open5GS, an open-source 5G core network implementation, contains a flaw in how it parses network function profiles. An authenticated attacker can send a specially crafted request that causes the affected service to become unresponsive, disrupting normal operations. The vulnerability requires valid credentials to exploit and does not lead to data theft or unauthorized access—only temporary unavailability. Versions up to 2.7.7 are affected.
- CVE-2026-10116MEDIUM 4.3
A vulnerability in Open5GS, a popular open-source 5G core network implementation, allows authenticated users to trigger a denial-of-service condition by manipulating the UE authentication endpoint. The flaw resides in timer transaction handling code and can be exploited remotely by anyone with legitimate access to the authentication service. Public exploit code is available, increasing the practical risk of abuse.
- CVE-2026-10117MEDIUM 4.3
Open5GS, an open-source 5G core network implementation, contains a vulnerability in its HTTP/2 server library that can be exploited to cause a denial of service. An attacker with valid credentials can remotely trigger the issue by manipulating specific inputs to the pool allocation function, causing the application to become unresponsive or crash. Versions up to 2.7.7 are affected. Public exploit code exists, increasing the risk of opportunistic attacks.
- CVE-2026-10156MEDIUM 4.3
Open5GS, a popular open-source 5G core network implementation, contains a denial-of-service vulnerability in versions up to 2.7.7. An authenticated attacker can manipulate how the system manages network function instance information, causing the application to consume excessive resources and become unresponsive. The vulnerability has been publicly disclosed, but a patch is already available. This is a moderate-severity issue requiring prioritization for 5G infrastructure operators and anyone running affected Open5GS deployments.
- CVE-2026-10802MEDIUM 4.3
A resource consumption vulnerability exists in KeystoneJS, an open-source headless CMS and GraphQL API framework. The flaw resides in the GraphQL API endpoint handler and can be exploited by authenticated users to exhaust server resources, potentially causing a denial-of-service condition. The vulnerability affects KeystoneJS versions up to March 19, 2026. Exploitation requires valid credentials but can be performed remotely over the network.
- CVE-2026-10775LOW 3.6
CVE-2026-10775 is a denial-of-service vulnerability in SGLang's cache handling mechanism. An attacker with local system access and user-level privileges can trigger a crash or service interruption by exploiting the data_hash function in the cache handler. The attack requires specific knowledge of the system's cache internals, making it moderately difficult to execute, though proof-of-concept code has been publicly disclosed.
- CVE-2026-10197LOW 3.3
Assimp, a widely-used open-source 3D model import library, contains a flaw in its glTF2 file handler that can cause the application to crash when processing maliciously crafted glTF2 files with embedded textures. An attacker with local file system access can trigger a null pointer dereference by supplying a crafted glTF2 file, leading to denial of service. The vulnerability affects versions up to and including 6.0.4. A fix exists in pending pull request form but has not yet been merged into a stable release.
- CVE-2026-10198LOW 3.3
Assimp, a popular open-source 3D model import library, contains a flaw in its glTF file import handler that can cause the application to crash. The vulnerability stems from improper handling of certain glTF mesh data, leading to a null pointer dereference when the ImportMeshes function processes malformed or specially crafted files. An attacker with local access to a system running a vulnerable version of Assimp could trigger this crash, resulting in denial of service. The issue affects Assimp versions up to and including 6.0.4.
- CVE-2026-10199LOW 3.3
Assimp, a popular 3D asset library, contains a null pointer dereference vulnerability in its glTF2 parsing code. An attacker with local access can craft a malicious glTF2 file that triggers a crash when processed, causing a denial of service. The vulnerability affects Assimp versions up to 6.0.4 and has been publicly disclosed, though it requires local interaction and low privileges to exploit.
- CVE-2026-10201LOW 3.3
CVE-2026-10201 is a divide-by-zero flaw in Assimp (Asset Importer Library), a widely-used 3D model processing library. The defect exists in the UV Channel Handler component, specifically within the FBXExporter::WriteObjects function in FBXExporter.cpp. When a user with local access supplies specially crafted input, the vulnerability triggers a division-by-zero error that crashes the application. Because this is a local-only attack requiring user-level privileges and the impact is availability-focused (denial of service via crash), the risk is classified as low. However, the fact that proof-of-concept code has been publicly released means defenders should not assume this will remain a theoretical concern.
- CVE-2026-10295LOW 3.3
CVE-2026-10295 is a low-severity denial-of-service vulnerability in SourceCodester Customer Review App version 1.0. By manipulating the 'name' or 'comment' parameters in the review submission functions, an attacker with local access can crash or degrade the application's availability. While an exploit has been published, the attack surface is limited because local authentication is required—this is not a remote vulnerability that can be exploited from the internet.
- CVE-2026-10298LOW 3.3
A null pointer dereference vulnerability exists in whisper.cpp versions up to 1.8.2, specifically in the model loading function. An attacker with local system access can trigger this flaw to cause the application to crash or become unavailable. The vulnerability requires user privileges to exploit and does not directly compromise data confidentiality or integrity. Public exploit code is available, though the impact remains limited to denial of service on the affected system.
- CVE-2026-10705LOW 3.1
Dask, a Python library for parallel computing and distributed data processing, contains a resource exhaustion vulnerability in its HyperLogLog (approximate distinct count) functionality. An authenticated remote attacker can trigger excessive resource consumption through the nunique_approx function, potentially degrading system availability. The flaw requires significant attack complexity and specific preconditions, making real-world exploitation difficult despite being theoretically possible.