Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5412 vulnerabilities reference this CWE, most recent first.

GHSA-WHJ4-6X5X-4V2J

Vulnerability from github – Published: 2026-04-13 19:22 – Updated: 2026-04-27 16:21
VLAI
Summary
FITS GZIP decompression bomb in Pillow
Details

Impact

Pillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation).

Patches

The amount of data read is now limited to the necessary amount. Fixed in Pillow 12.2.0 (PR #9521).

Workarounds

Avoid Pillow >= 10.3.0, < 12.2.0 Only open specific image formats, excluding FITS.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pillow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.3.0"
            },
            {
              "fixed": "12.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40192"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-13T19:22:35Z",
    "nvd_published_at": "2026-04-15T23:16:10Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nPillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation).\n\n### Patches\nThe amount of data read is now limited to the necessary amount.\nFixed in Pillow 12.2.0 (PR #9521).\n\n### Workarounds\nAvoid Pillow \u003e= 10.3.0, \u003c 12.2.0\nOnly open [specific image formats](https://pillow.readthedocs.io/en/stable/releasenotes/8.0.0.html#image-open-add-formats-parameter), excluding FITS.",
  "id": "GHSA-whj4-6x5x-4v2j",
  "modified": "2026-04-27T16:21:39Z",
  "published": "2026-04-13T19:22:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40192"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/pull/9521"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/python-pillow/Pillow"
    },
    {
      "type": "WEB",
      "url": "https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FITS GZIP decompression bomb in Pillow"
}

GHSA-WHJ9-M24X-QHHP

Vulnerability from github – Published: 2023-06-22 20:00 – Updated: 2023-06-22 20:00
VLAI
Summary
FastAsyncWorldEdit vulnerable to Uncontrolled Resource Consumption
Details

Coordinated Disclosure Timeline

  • 10.06.2023: Issue reported to IntellectualSites
  • 11.06.2023: Issue is acknowledged
  • 12.06.2023: Issue has been fixed
  • 22.06.2023: Advisory has been published

Impacted version range

Before 2.6.3

Details

Proof of Concept

As a user, do the following:

  1. Select position 1 via //pos1
  2. Select position 2 adding the "Infinity" keyword via //pos2 Infinity
  3. Execute any further operation.

The steps 1 and 2 are interchangeable.

Impact

Such a task has a possibility of bringing the performing server down.

CVE

  • CVE-2023-35925

Credit

This issue was discovered and reported by @SuperMonis.

Solution

On June 12, 2023, a patch, https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285, has been merged addressing the vulnerability. We strongly recommend users to update their version of FastAsyncWorldEdit to 2.6.3 as soon as possible.

Workarounds

There is no direct mitigation besides updating FastAsyncWorldEdit to a patched version.

Additional Information

Users with access to the logs/ folder or shell access on their server can try to identify possible abuses of this issue by going through the logs. To sieve through the data, you can use the regex query \/\/pos[12] Infinity, then investigate all log entries that return results.

Disclosure Policy

If you discover a security vulnerability within our software, please report the issue according to our vulnerability disclosure policy.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fastasyncworldedit:FastAsyncWorldEdit-Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fastasyncworldedit:FastAsyncWorldEdit-Bukkit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-35925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-22T20:00:36Z",
    "nvd_published_at": "2023-06-23T16:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Coordinated Disclosure Timeline\n\n- 10.06.2023: Issue reported to IntellectualSites\n- 11.06.2023: Issue is acknowledged\n- 12.06.2023: Issue has been fixed\n- 22.06.2023: Advisory has been published\n\n### Impacted version range\n\nBefore 2.6.3\n\n### Details\n\n#### Proof of Concept\n\nAs a user, do the following:\n\n1. Select position 1 via `//pos1`\n2. Select position 2 adding the \"Infinity\" keyword via `//pos2 Infinity`\n3. Execute any further operation.\n\nThe steps 1 and 2 are interchangeable.\n\n#### Impact\n\nSuch a task has a possibility of bringing the performing server down.\n\n#### CVE\n\n- CVE-2023-35925\n\n#### Credit\n\nThis issue was discovered and [reported](https://github.com/IntellectualSites/.github/blob/main/SECURITY.md) by @SuperMonis.\n\n### Solution\n\nOn June 12, 2023, a patch, https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285, has been merged addressing the vulnerability.\nWe strongly recommend users to update their version of FastAsyncWorldEdit to 2.6.3 as soon as possible.\n\n### Workarounds\n\nThere is no direct mitigation besides updating FastAsyncWorldEdit to a patched version.\n\n### Additional Information\n\nUsers with access to the `logs/` folder or shell access on their server can try to identify possible abuses of this issue by going through the logs.\nTo sieve through the data, you can use the regex query `\\/\\/pos[12] Infinity`, then investigate all log entries that return results.\n\n### Disclosure Policy\n\nIf you discover a security vulnerability within our software, please report the issue according to our [vulnerability disclosure policy](https://github.com/IntellectualSites/.github/blob/main/SECURITY.md).",
  "id": "GHSA-whj9-m24x-qhhp",
  "modified": "2023-06-22T20:00:36Z",
  "published": "2023-06-22T20:00:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35925"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IntellectualSites/FastAsyncWorldEdit/releases/tag/2.6.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FastAsyncWorldEdit vulnerable to Uncontrolled Resource Consumption"
}

GHSA-WHVX-2M69-J66G

Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-11-14 19:00
VLAI
Details

In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-02T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.",
  "id": "GHSA-whvx-2m69-j66g",
  "modified": "2022-11-14T19:00:25Z",
  "published": "2022-05-24T17:07:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20446"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/librsvg/issues/515"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221111-0004"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4436-1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJ37-MPQ9-XRCM

Vulnerability from github – Published: 2024-04-26 09:30 – Updated: 2025-05-12 21:48
VLAI
Summary
Mattermost fails to limit the number of active sessions
Details

Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.6.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.6.0-rc1"
            },
            {
              "fixed": "9.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.5.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.5.0"
            },
            {
              "fixed": "9.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.4.4"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.4.0"
            },
            {
              "fixed": "9.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.1.11"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.1.0"
            },
            {
              "fixed": "8.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-4183"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-26T19:10:41Z",
    "nvd_published_at": "2024-04-26T09:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.",
  "id": "GHSA-wj37-mpq9-xrcm",
  "modified": "2025-05-12T21:48:38Z",
  "published": "2024-04-26T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4183"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/86920d641760552c5aafa5e1d14c93bd30039bc4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/9d81eee979aee93374bff8ba6714d805e12ffb03"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/b45c3dac4c160992a1ce757ade968e8f5ec506c1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/bc699e6789cf3ba1544235087897699aaa639e7d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost fails to limit the number of active sessions"
}

GHSA-WJ55-VQCQ-GXCP

Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2025-11-04 00:30
VLAI
Details

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-10T17:42:00Z",
    "severity": "MODERATE"
  },
  "details": "There\u0027s a flaw in urllib\u0027s AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.",
  "id": "GHSA-wj55-vqcq-gxcp",
  "modified": "2025-11-04T00:30:31Z",
  "published": "2022-03-11T00:02:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/24391"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/7215d1ae25525c92b026166f9d5cac85fb"
    },
    {
      "type": "WEB",
      "url": "https://bugs.python.org/issue43075"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995234"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220407-0001"
    },
    {
      "type": "WEB",
      "url": "https://ubuntu.com/security/CVE-2021-3733"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJG4-WR5G-F28X

Vulnerability from github – Published: 2022-04-29 02:59 – Updated: 2022-04-29 02:59
VLAI
Details

Opera 7.54 allows remote attackers to cause a denial of service (application crash from memory exhaustion), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2004-1201"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2005-01-10T05:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Opera 7.54 allows remote attackers to cause a denial of service (application crash from memory exhaustion), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays.",
  "id": "GHSA-wjg4-wr5g-f28x",
  "modified": "2022-04-29T02:59:09Z",
  "published": "2022-04-29T02:59:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2004-1201"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18282"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=full-disclosure\u0026m=110141347502530\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=full-disclosure\u0026m=110144136213993\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/11762"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WJH7-W5FX-RQ52

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2023-08-16 18:30
VLAI
Details

A vulnerability in the TCP packet processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a memory exhaustion condition. An attacker could exploit this vulnerability by sending a high rate of crafted TCP traffic through an affected device. A successful exploit could allow the attacker to exhaust device resources, resulting in a DoS condition for traffic transiting the affected device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-3554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-21T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the TCP packet processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a memory exhaustion condition. An attacker could exploit this vulnerability by sending a high rate of crafted TCP traffic through an affected device. A successful exploit could allow the attacker to exhaust device resources, resulting in a DoS condition for traffic transiting the affected device.",
  "id": "GHSA-wjh7-w5fx-rq52",
  "modified": "2023-08-16T18:30:19Z",
  "published": "2022-05-24T17:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3554"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-dos-QFcNEPfx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJJC-M3FC-FCM8

Vulnerability from github – Published: 2022-05-17 05:52 – Updated: 2024-11-26 18:40
VLAI
Summary
MoinMoin Denial of Service vulnerability via password_checker function
Details

The password_checker function in config/multiconfig.py in MoinMoin prior to version 1.6.1 uses the cracklib and python-crack features even though they are not thread-safe, which allows remote attackers to cause a denial of service (segmentation fault and crash) via unknown vectors.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "moin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2008-6549"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-09T19:33:55Z",
    "nvd_published_at": "2009-03-30T01:30:00Z",
    "severity": "HIGH"
  },
  "details": "The password_checker function in `config/multiconfig.py` in MoinMoin prior to version 1.6.1 uses the cracklib and python-crack features even though they are not thread-safe, which allows remote attackers to cause a denial of service (segmentation fault and crash) via unknown vectors.",
  "id": "GHSA-wjjc-m3fc-fcm8",
  "modified": "2024-11-26T18:40:12Z",
  "published": "2022-05-17T05:52:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6549"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moinwiki/moin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/moin/PYSEC-2009-12.yaml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20080410051007/http://moinmo.in/SecurityFixes"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20211206185024/http://hg.moinmo.in/moin/1.6/rev/35ff7a9b1546"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MoinMoin Denial of Service vulnerability via password_checker function"
}

GHSA-WJJX-5Q7V-M436

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Agent Next Gen). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 8.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T10:54:04Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Agent Next Gen).  Supported versions that are affected are 13.5 and  24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform as well as  unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 8.2 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).",
  "id": "GHSA-wjjx-5q7v-m436",
  "modified": "2026-06-17T18:35:33Z",
  "published": "2026-06-17T18:35:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46866"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cspujun2026.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJM3-FQ3R-5X46

Vulnerability from github – Published: 2021-05-18 21:07 – Updated: 2024-05-20 21:31
VLAI
Summary
github.com/tidwall/gjson is vulnerable to Denial of service
Details

GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tidwall/gjson"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-18T21:00:38Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "GJSON \u003c1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON.",
  "id": "GHSA-wjm3-fq3r-5x46",
  "modified": "2024-05-20T21:31:34Z",
  "published": "2021-05-18T21:07:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36066"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/gjson/issues/195"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/gjson/issues/195#issuecomment-755303148"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/gjson/commit/9f58baa7a613f89dfdc764c39e47fd3a15606153"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tidwall/gjson"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0957"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "github.com/tidwall/gjson is vulnerable to Denial of service"
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.