Total
2621 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-54113 | 1 Huawei | 1 Harmonyos | 2025-09-18 | N/A | 6.5 MEDIUM |
| Process residence vulnerability in abnormal scenarios in the print module Impact: Successful exploitation of this vulnerability may affect power consumption. | |||||
| CVE-2024-51513 | 1 Huawei | 1 Harmonyos | 2025-09-18 | N/A | 5.5 MEDIUM |
| Vulnerability of processes not being fully terminated in the VPN module Impact: Successful exploitation of this vulnerability will affect power consumption. | |||||
| CVE-2025-59139 | 1 Hono | 1 Hono | 2025-09-17 | N/A | 5.3 MEDIUM |
| Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. The middleware previously prioritized the `Content-Length` header even when a `Transfer-Encoding: chunked` header was also included. According to the HTTP specification, `Content-Length` must be ignored in such cases. This discrepancy could allow oversized request bodies to bypass the configured limit. Most standards-compliant runtimes and reverse proxies may reject such malformed requests with `400 Bad Request`, so the practical impact depends on the runtime and deployment environment. If body size limits are used as a safeguard against large or malicious requests, this flaw could allow attackers to send oversized request bodies. The primary risk is denial of service (DoS) due to excessive memory or CPU consumption when handling very large requests. The implementation has been updated to align with the HTTP specification, ensuring that `Transfer-Encoding` takes precedence over `Content-Length`. The issue is fixed in Hono v4.9.7, and all users should upgrade immediately. | |||||
| CVE-2024-27354 | 2 Debian, Phpseclib | 2 Debian Linux, Phpseclib | 2025-09-15 | N/A | 7.5 HIGH |
| An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service (CPU consumption for an isPrime primality check). NOTE: this issue was introduced when attempting to fix CVE-2023-27560. | |||||
| CVE-2024-27355 | 2 Debian, Phpseclib | 2 Debian Linux, Phpseclib | 2025-09-15 | N/A | 7.5 HIGH |
| An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID). | |||||
| CVE-2025-43796 | 2025-09-15 | N/A | N/A | ||
| Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing queries that return a large number of objects. | |||||
| CVE-2025-54796 | 1 9001 | 1 Copyparty | 2025-09-12 | N/A | 7.5 HIGH |
| Copyparty is a portable file server. Versions prior to 1.18.9, the filter parameter for the "Recent Uploads" page allows arbitrary RegExes. If this feature is enabled (which is the default), an attacker can craft a filter which deadlocks the server. This is fixed in version 1.18.9. | |||||
| CVE-2025-8537 | 1 Axiosys | 1 Bento4 | 2025-09-12 | 2.6 LOW | 3.7 LOW |
| A vulnerability, which was classified as problematic, was found in Axiomatic Bento4 up to 1.6.0-641. Affected is the function AP4_DataBuffer::SetDataSize of the file Mp4Decrypt.cpp of the component mp4decrypt. The manipulation leads to allocation of resources. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-9308 | 1 Yarnpkg | 1 Yarn | 2025-09-12 | 1.7 LOW | 3.3 LOW |
| A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-48038 | 2025-09-11 | N/A | N/A | ||
| Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. | |||||
| CVE-2025-48039 | 2025-09-11 | N/A | N/A | ||
| Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. | |||||
| CVE-2025-48041 | 2025-09-11 | N/A | N/A | ||
| Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. | |||||
| CVE-2025-20340 | 2025-09-11 | N/A | 7.4 HIGH | ||
| A vulnerability in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a broadcast storm, leading to a denial of service (DoS) condition on an affected device. This vulnerability is due to how Cisco IOS XR Software processes a high, sustained rate of ARP traffic hitting the management interface. Under certain conditions, an attacker could exploit this vulnerability by sending an excessive amount of traffic to the management interface of an affected device, overwhelming its ARP processing capabilities. A successful exploit could result in degraded device performance, loss of management connectivity, and complete unresponsiveness of the system, leading to a DoS condition. | |||||
| CVE-2025-48040 | 2025-09-11 | N/A | N/A | ||
| Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. | |||||
| CVE-2025-55631 | 2025-09-11 | N/A | 4.0 MEDIUM | ||
| Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 was discovered to manage users' sessions system wide instead of an account-by-account basis, potentially leading to a Denial of Service (DoS) via resource exhaustion. NOTE: the Supplier reports that the system-wide limit is intentional. | |||||
| CVE-2025-55521 | 1 Akaunting | 1 Akaunting | 2025-09-10 | N/A | 6.5 MEDIUM |
| An issue in the component /settings/localisation of Akaunting v3.1.18 allows authenticated attackers to cause a Denial of Service (DoS) via a crafted POST request. | |||||
| CVE-2025-57614 | 1 Meh.schizofreni | 1 Rust-ffmpeg | 2025-09-10 | N/A | 7.5 HIGH |
| An issue was discovered in rust-ffmpeg 0.3.0 (after comit 5ac0527) Integer overflow and invalid input vulnerability in the cached method allows an attacker to cause a denial of service or potentially execute arbitrary code. The vulnerability occurs when dimension parameters are zero or exceed i32::MAX, leading to an unchecked cast that violates the underlying C function's preconditions and triggers undefined behavior. | |||||
| CVE-2024-39693 | 1 Vercel | 1 Next.js | 2025-09-10 | N/A | 7.5 HIGH |
| Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server. his vulnerability was resolved in Next.js 13.5 and later. | |||||
| CVE-2025-58451 | 2025-09-09 | N/A | N/A | ||
| Cattown is a JavaScript markdown parser. Versions prior to 1.0.2 used regular expressions with inefficient, potentially exponential worst-case complexity. This could cause excessive CPU usage due to excessive backtracking on crafted inputs. In turn, the excessive CPU usage could lead to resource exhaustion, where processing malicious inputs could cause high CPU or memory usage, potentially leading to denial of service. Version 1.0.2 contains a patch. Additionally, users should review and restrict input sources if untrusted inputs are processed. | |||||
| CVE-2025-52494 | 1 Adacore | 1 Ada Web Server | 2025-09-08 | N/A | 7.5 HIGH |
| Adacore Ada Web Server (AWS) before 25.2 is vulnerable to a denial-of-service (DoS) condition due to improper handling of SSL handshakes during connection initialization. When a client initiates an HTTPS connection, the server performs the SSL handshake before assigning the connection to a processing slot. However, there is no specific timeout set for this phase, and the server uses the default socket timeout, which is effectively infinite. An attacker can exploit this by sending a malformed TLS ClientHello message with incorrect length values. This causes the server to wait indefinitely for data that never arrives, blocking the worker thread (Line) handling the connection. By opening multiple such connections, up to the server's maximum limit, the attacker can exhaust all available working threads, preventing the server from handling new, legitimate requests. | |||||