By weakness (CWE)
CWE-770: related vulnerabilities
CVEs classified under CWE-770. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
7 published vulnerabilities
- CVE-2026-28299HIGH 8.2
SolarWinds Web Help Desk contains a denial-of-service vulnerability that allows attackers to crash the server by exhausting memory resources. No authentication or user interaction is required—an attacker on the network can trigger this condition remotely, making it straightforward to exploit. While the vulnerability does not expose sensitive data or allow unauthorized changes to the system, the ability to take down your help desk platform creates immediate business disruption.
- CVE-2025-46638HIGH 7.5
Dell BSAFE SSL-J contains a resource exhaustion vulnerability that allows an unauthenticated attacker on the network to overwhelm the application by allocating unbounded resources without limits or throttling mechanisms. This causes a denial of service condition, rendering the service unavailable to legitimate users. No authentication is required to trigger the flaw, making it accessible to any remote attacker.
- CVE-2026-34077HIGH 7.5
React Router versions 7.7.0 through 7.13.1 contain a client-side Cross-Site Scripting (XSS) vulnerability when using the unstable React Server Components (RSC) APIs. If an application accepts redirect parameters from untrusted sources and processes them through React Router's RSC redirect handling, an attacker could inject malicious scripts that execute in users' browsers. The vulnerability does not affect applications that do not use the unstable RSC APIs. Shopify's React Router package released patch version 7.13.2 to address this issue.
- CVE-2026-36499MEDIUM 6.5
Open vSwitch v3.6.90 contains a flaw that allows someone with write access to its configuration database to cause the software to allocate an unreasonably large number of worker threads. By requesting more threads than the system can handle, an attacker can exhaust memory and CPU resources, effectively shutting down the switch. The vulnerability requires existing database access, limiting the immediate threat surface, but represents a significant availability risk in environments where OVSDB write permissions are not tightly controlled.
- CVE-2026-40990MEDIUM 5.7
A resource exhaustion flaw exists in Spring Cloud Function that allows an attacker to trigger out-of-memory (OOM) errors by registering an excessive number of functions in the Function Registry. The vulnerability requires local or adjacent network access and user interaction, making it a medium-severity concern primarily affecting development and hybrid deployment environments. Multiple versions across Spring Cloud Function 3.2 through 5.0 are vulnerable.
- CVE-2026-40898MEDIUM 5.3
quic-go, a Go-based QUIC protocol library, contains a denial-of-service flaw in its HTTP/3 implementation that allows remote attackers to exhaust server and client memory by sending malicious HTTP trailer fields. The vulnerability stems from inadequate validation of decoded trailer sizes—the library checks the compressed frame size but fails to enforce limits on the decompressed result. An attacker can craft QPACK-encoded headers with numerous unique field names or oversized values in the trailer section, forcing unbounded memory allocation and potentially crashing affected services.
- CVE-2026-10533MEDIUM 5.0
A vulnerability in OpenShift Container Platform allows non-privileged users to circumvent resource quota enforcement by creating pods with a never-restart policy. These pods and their associated Kubernetes events are not counted against quota limits, enabling an attacker to flood the cluster's event database (etcd) with activity. The resulting accumulation degrades API server performance across the entire cluster, affecting all users and workloads.