Total
1554 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-68148 | 2025-12-27 | 4.3 Medium | ||
| FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0. | ||||
| CVE-2021-47713 | 1 Hasura | 1 Graphql Engine | 2025-12-26 | 7.5 High |
| Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resources and potentially crash the GraphQL endpoint. | ||||
| CVE-2025-11419 | 1 Redhat | 1 Build Keycloak | 2025-12-23 | 7.5 High |
| A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable. | ||||
| CVE-2025-14157 | 1 Gitlab | 1 Gitlab | 2025-12-23 | 6.5 Medium |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters. | ||||
| CVE-2025-4097 | 1 Gitlab | 1 Gitlab | 2025-12-23 | 6.5 Medium |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images. | ||||
| CVE-2025-12562 | 1 Gitlab | 1 Gitlab | 2025-12-23 | 7.5 High |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query complexity limits. | ||||
| CVE-2025-12044 | 1 Hashicorp | 2 Vault, Vault Enterprise | 2025-12-23 | 7.5 High |
| Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393] which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0. | ||||
| CVE-2024-0563 | 1 M-files | 1 M-files Server | 2025-12-23 | 4.3 Medium |
| Denial of service condition in M-Files Server in versions before 24.2 (excluding 23.2 SR7 and 23.8 SR5) allows anonymous user to cause denial of service against other anonymous users. | ||||
| CVE-2025-47287 | 3 Debian, Redhat, Tornadoweb | 7 Debian Linux, Enterprise Linux, Rhel E4s and 4 more | 2025-12-23 | 7.5 High |
| Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy. | ||||
| CVE-2025-68389 | 1 Elastic | 1 Kibana | 2025-12-23 | 6.5 Medium |
| Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request. | ||||
| CVE-2025-68384 | 1 Elastic | 1 Elasticsearch | 2025-12-23 | 6.5 Medium |
| Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data. | ||||
| CVE-2025-68390 | 1 Elastic | 1 Elasticsearch | 2025-12-23 | 4.9 Medium |
| Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request. | ||||
| CVE-2025-68388 | 2 Elastic, Elasticsearch | 2 Packetbeat, Packetbeat | 2025-12-23 | 5.3 Medium |
| Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration of malicious IPv4 fragments, leading to a degradation in Packetbeat. | ||||
| CVE-2024-26710 | 1 Linux | 1 Linux Kernel | 2025-12-23 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: powerpc/kasan: Limit KASAN thread size increase to 32KB KASAN is seen to increase stack usage, to the point that it was reported to lead to stack overflow on some 32-bit machines (see link). To avoid overflows the stack size was doubled for KASAN builds in commit 3e8635fb2e07 ("powerpc/kasan: Force thread size increase with KASAN"). However with a 32KB stack size to begin with, the doubling leads to a 64KB stack, which causes build errors: arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff) Although the asm could be reworked, in practice a 32KB stack seems sufficient even for KASAN builds - the additional usage seems to be in the 2-3KB range for a 64-bit KASAN build. So only increase the stack for KASAN if the stack size is < 32KB. | ||||
| CVE-2025-14299 | 1 Tp-link | 3 Tapo, Tapo C200, Tapo C200 V3 | 2025-12-23 | N/A |
| The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS). | ||||
| CVE-2025-13836 | 1 Python | 1 Cpython | 2025-12-22 | 6.8 Medium |
| When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS. | ||||
| CVE-2025-12084 | 1 Python | 2 Cpython, Python | 2025-12-22 | 5.3 Medium |
| When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | ||||
| CVE-2025-13837 | 1 Python | 1 Cpython | 2025-12-22 | 5.9 Medium |
| When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | ||||
| CVE-2024-28102 | 3 Debian, Latchset, Redhat | 4 Debian Linux, Jwcrypto, Ansible Automation Platform and 1 more | 2025-12-22 | 6.8 Medium |
| JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length. | ||||
| CVE-2025-11374 | 1 Hashicorp | 1 Consul | 2025-12-22 | 6.5 Medium |
| Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12. | ||||