Total
1356 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-12778 | 1 Aimstack | 1 Aim | 2025-10-15 | N/A | 7.5 HIGH |
| A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root cause is the lack of a limit on the number of metrics that can be requested per call, combined with the server's single-threaded nature, leading to excessive resource consumption and blocking of the server. | |||||
| CVE-2024-11171 | 1 Librechat | 1 Librechat | 2025-10-15 | N/A | 7.5 HIGH |
| In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. The application uses multer middleware for handling multipart file uploads. When using in-memory storage (the default setting for multer), there is no limit on the upload file size. This can lead to a server crash due to out-of-memory errors when handling large files. An attacker without any privileges can exploit this vulnerability to cause a complete denial of service. The issue is fixed in version 0.7.6. | |||||
| CVE-2024-10935 | 1 Automatic1111 | 1 Stable-diffusion-webui | 2025-10-15 | N/A | 7.5 HIGH |
| automatic1111/stable-diffusion-webui version 1.10.0 contains a vulnerability where the server fails to handle excessive characters appended to the end of multipart boundaries. This flaw can be exploited by sending malformed multipart requests with arbitrary characters at the end of the boundary, leading to excessive resource consumption and a complete denial of service (DoS) for all users. The vulnerability is unauthenticated, meaning no user login or interaction is required for an attacker to exploit this issue. | |||||
| CVE-2024-10714 | 1 Binary-husky | 1 Gpt Academic | 2025-10-15 | N/A | 7.5 HIGH |
| A vulnerability in binary-husky/gpt_academic version 3.83 allows an attacker to cause a Denial of Service (DoS) by adding excessive characters to the end of a multipart boundary during file upload. This results in the server continuously processing each character and displaying warnings, rendering the application inaccessible. The issue occurs when the terminal shows a warning: 'multipart.multipart Consuming a byte '0x2d' in end state'. | |||||
| CVE-2024-10713 | 2025-10-15 | N/A | 7.5 HIGH | ||
| A vulnerability in szad670401/hyperlpr v3.0 allows for a Denial of Service (DoS) attack. The server fails to handle excessive characters appended to the end of multipart boundaries, regardless of the character used. This flaw can be exploited by sending malformed multipart requests with arbitrary characters at the end of the boundary, leading to excessive resource consumption and a complete denial of service for all users. The vulnerability is unauthenticated, meaning no user login or interaction is required for an attacker to exploit this issue. | |||||
| CVE-2024-10650 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2025-10-15 | N/A | 7.5 HIGH |
| An unauthenticated Denial of Service (DoS) vulnerability was identified in ChuanhuChatGPT version 20240918, which could be exploited by sending large data payloads using a multipart boundary. Although a patch was applied for CVE-2024-7807, the issue can still be exploited by sending data in groups with 10 characters in a line, with multiple lines. This can cause the system to continuously process these characters, resulting in prolonged unavailability of the service. The exploitation now requires low privilege if authentication is enabled due to a version upgrade in Gradio. | |||||
| CVE-2024-10225 | 1 Hliu | 1 Llava | 2025-10-15 | N/A | 7.5 HIGH |
| A vulnerability in haotian-liu/llava v1.2.0 allows an attacker to cause a Denial of Service (DoS) by appending a large number of characters to the end of a multipart boundary in a file upload request. This causes the server to continuously process each character, rendering the application inaccessible. | |||||
| CVE-2024-10051 | 2025-10-15 | N/A | 7.5 HIGH | ||
| Realchar version v0.0.4 is vulnerable to an unauthenticated denial of service (DoS) attack. The vulnerability exists in the file upload request handling, where appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request causes the server to continuously process each character. This leads to excessive resource consumption and renders the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service. | |||||
| CVE-2025-36171 | 3 Ibm, Linux, Microsoft | 3 Aspera Faspex, Linux Kernel, Windows | 2025-10-14 | N/A | 4.9 MEDIUM |
| IBM Aspera Faspex 5.0.0 through 5.0.13.1 could allow a privileged user to cause a denial of service from improperly validated API input due to excessive resource consumption. | |||||
| CVE-2025-61775 | 2025-10-14 | N/A | N/A | ||
| Vickey is a Misskey-based microblogging platform. A vulnerability exists in Vickey prior to version 2025.10.0 where unexpired email confirmation links can be reused multiple times to send repeated confirmation emails to a verified email address. Under certain conditions, a verified email address could receive repeated confirmation messages if the verification link was accessed multiple times. This issue may result in unintended email traffic but does not expose user data. The issue was addressed in version 2025.10.0 by improving validation logic to ensure verification links behave as expected after completion. | |||||
| CVE-2025-41704 | 2025-10-14 | N/A | 5.3 MEDIUM | ||
| An unauthanticated remote attacker can perform a DoS of the Modbus service by sending a specific function and sub-function code without affecting the core functionality. | |||||
| CVE-2025-9177 | 2025-10-14 | N/A | N/A | ||
| A denial-of-service security issue exists in the affected product and version. The security issue stems from a high number of requests sent to the web server. This could result in a web server crash however; this does not impact I/O control or communication . A power cycle is required to recover and utilize the webpage. | |||||
| CVE-2025-27911 | 1 Datalust | 1 Seq | 2025-10-10 | N/A | 6.5 MEDIUM |
| An issue was discovered in Datalust Seq before 2024.3.13545. Expansion of identifiers in message templates can be used to bypass the system "Event body limit bytes" setting, leading to increased resource consumption. With sufficiently large events, there can be disk space exhaustion (if saved to disk) or a termination of the server process with an out-of-memory error. | |||||
| CVE-2024-0081 | 1 Nvidia | 1 Nemo | 2025-10-10 | N/A | 8.6 HIGH |
| NVIDIA NeMo framework for Ubuntu contains a vulnerability in tools/asr_webapp where an attacker may cause an allocation of resources without limits or throttling. A successful exploit of this vulnerability may lead to a server-side denial of service. | |||||
| CVE-2025-59830 | 1 Rack | 1 Rack | 2025-10-10 | N/A | 7.5 HIGH |
| Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18. | |||||
| CVE-2025-49007 | 1 Rack | 1 Rack | 2025-10-10 | N/A | 5.3 MEDIUM |
| Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability. | |||||
| CVE-2025-20370 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-10-08 | N/A | 4.9 MEDIUM |
| In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information. | |||||
| CVE-2025-44012 | 1 Qnap | 1 Qsync Central | 2025-10-08 | N/A | 6.5 MEDIUM |
| An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later | |||||
| CVE-2024-6598 | 1 Knime | 1 Business Hub | 2025-10-08 | N/A | 6.5 MEDIUM |
| A denial-of-service attack is possible through the execution functionality of KNIME Business Hub 1.10.0 and 1.10.1. It allows an authenticated attacker with job execution privileges to execute a job that causes internal messages to pile up until there are no more resources available for processing new messages. This leads to an outage of most functionality of KNIME Business Hub. Recovery from the situation is only possible by manual administrator interaction. Please contact our support for instructions in case you have run into this situation. Updating to KNIME Business Hub 1.10.2 or later solves the problem. | |||||
| CVE-2025-52867 | 1 Qnap | 1 Qsync Central | 2025-10-08 | N/A | 6.5 MEDIUM |
| An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later | |||||