CWE-799
Allowed-with-ReviewImproper Control of Interaction Frequency
Abstraction: Class · Status: Incomplete
The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
108 vulnerabilities reference this CWE, most recent first.
GHSA-775H-3XRC-C228
Vulnerability from github – Published: 2026-03-11 00:21 – Updated: 2026-03-11 00:21Impact
Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit.
Any Parse Server deployment that relies on the built-in rate limiting feature is affected.
Patches
The fix adds a pre-flight check in the batch request handler that counts the number of sub-requests targeting each rate-limited path and rejects the entire batch request if any path's count exceeds its configured requestCount.
Note that this is a server-level rate limit that counts sub-requests within a single batch request. Requests already consumed in the current time window by previous individual or batch requests are not counted against the batch, so the effective limit may be higher when combining individual and batch requests. For comprehensive rate limiting protection, use a reverse proxy or WAF.
Workarounds
Use a reverse proxy or web application firewall (WAF) to enforce rate limiting before requests reach Parse Server.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228
- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10
- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.23
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-alpha.1"
},
{
"fixed": "9.5.2-alpha.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30972"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-11T00:21:51Z",
"nvd_published_at": "2026-03-10T21:16:49Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nParse Server\u0027s rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (`/batch`) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit.\n\nAny Parse Server deployment that relies on the built-in rate limiting feature is affected.\n\n### Patches\n\nThe fix adds a pre-flight check in the batch request handler that counts the number of sub-requests targeting each rate-limited path and rejects the entire batch request if any path\u0027s count exceeds its configured `requestCount`.\n\nNote that this is a server-level rate limit that counts sub-requests within a single batch request. Requests already consumed in the current time window by previous individual or batch requests are not counted against the batch, so the effective limit may be higher when combining individual and batch requests. For comprehensive rate limiting protection, use a reverse proxy or WAF.\n\n### Workarounds\n\nUse a reverse proxy or web application firewall (WAF) to enforce rate limiting before requests reach Parse Server.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.23",
"id": "GHSA-775h-3xrc-c228",
"modified": "2026-03-11T00:21:51Z",
"published": "2026-03-11T00:21:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30972"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.23"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Parse Server has a rate limit bypass via batch request endpoint"
}
GHSA-79QG-7G83-CMF7
Vulnerability from github – Published: 2025-11-18 21:32 – Updated: 2025-11-19 18:31In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating reset password requests.
{
"affected": [],
"aliases": [
"CVE-2025-54321"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T19:15:49Z",
"severity": "CRITICAL"
},
"details": "In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating reset password requests.",
"id": "GHSA-79qg-7g83-cmf7",
"modified": "2025-11-19T18:31:18Z",
"published": "2025-11-18T21:32:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54321"
},
{
"type": "WEB",
"url": "https://github.com/saykino/CVE-2025-54321"
},
{
"type": "WEB",
"url": "https://www.ascertia.com/company/vulnerability-disclosure-policy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-823F-VX3M-4692
Vulnerability from github – Published: 2024-06-21 00:33 – Updated: 2025-07-30 18:31An attacker may be able to cause a denial-of-service condition by sending many SSH packets repeatedly.
{
"affected": [],
"aliases": [
"CVE-2024-32943"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-20T23:15:51Z",
"severity": "HIGH"
},
"details": "An attacker may be able to cause a denial-of-service condition by sending many SSH packets repeatedly.",
"id": "GHSA-823f-vx3m-4692",
"modified": "2025-07-30T18:31:26Z",
"published": "2024-06-21T00:33:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32943"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-172-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-852G-3F6P-43MM
Vulnerability from github – Published: 2024-09-11 12:30 – Updated: 2024-09-18 21:30This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/flooding on the targeted system.
{
"affected": [],
"aliases": [
"CVE-2024-45788"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-11T12:15:02Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/flooding on the targeted system.",
"id": "GHSA-852g-3f6p-43mm",
"modified": "2024-09-18T21:30:44Z",
"published": "2024-09-11T12:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45788"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0291"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8XX5-GHFP-WG5C
Vulnerability from github – Published: 2024-10-04 15:31 – Updated: 2024-10-16 15:32This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead to the OTP bombing on the targeted system.
{
"affected": [],
"aliases": [
"CVE-2024-47654"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-04T13:15:11Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead to the OTP bombing on the targeted system.",
"id": "GHSA-8xx5-ghfp-wg5c",
"modified": "2024-10-16T15:32:06Z",
"published": "2024-10-04T15:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47654"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0313"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9H9C-F287-C6VP
Vulnerability from github – Published: 2018-11-06 23:16 – Updated: 2022-09-14 22:02A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.syncope:syncope-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.syncope:syncope-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-17184"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:28:47Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.",
"id": "GHSA-9h9c-f287-c6vp",
"modified": "2022-09-14T22:02:16Z",
"published": "2018-11-06T23:16:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17184"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-9h9c-f287-c6vp"
},
{
"type": "WEB",
"url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Control of Interaction Frequency in Apache syncope-core"
}
GHSA-9J2R-2287-24HF
Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-13 21:31wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.
{
"affected": [],
"aliases": [
"CVE-2026-22216"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-13T19:54:11Z",
"severity": "MODERATE"
},
"details": "wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.",
"id": "GHSA-9j2r-2287-24hf",
"modified": "2026-03-13T21:31:46Z",
"published": "2026-03-13T21:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22216"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/wpdiscuz"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/wpdiscuz/#developers"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/wpdiscuz-before-no-rate-limiting-on-subscription-endpoints-with-like-wildcard-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CWQF-2QF9-9MH4
Vulnerability from github – Published: 2025-03-13 12:30 – Updated: 2025-03-13 12:30This vulnerability exists in the CAP back office application due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system.
{
"affected": [],
"aliases": [
"CVE-2025-29998"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-13T12:15:14Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in the CAP back office application due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system.",
"id": "GHSA-cwqf-2qf9-9mh4",
"modified": "2025-03-13T12:30:32Z",
"published": "2025-03-13T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29998"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2025-0048"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FQ34-XW6C-FPHF
Vulnerability from github – Published: 2025-09-08 20:45 – Updated: 2025-09-13 04:41Summary
The Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service.
This vulnerability only affects deployments relying on Fides's built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected.
Details
The vulnerability has two components:
- Rate limiting uses the immediate connection source IP instead of the actual client IP
- Rate limit counters are maintained in-memory per container rather than in a shared store
In production environments, these issues allow clients to exceed intended rate limits and enable attackers to trigger rate limits on infrastructure IPs, causing legitimate clients to receive 429 responses.
Impact
This vulnerability affects availability, allowing attackers to:
- Bypass rate limits, potentially leading to resource exhaustion
- Cause a denial of service for legitimate clients by deliberately triggering rate limits on infrastructure IPs
Patches
The vulnerability has been patched in Fides version 2.69.1. Users are advised to upgrade to this version or later to secure their systems against this threat.
Workarounds
There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology.
Risk Level
This vulnerability has been assigned a severity of MEDIUM.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ethyca-fides"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.69.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57816"
],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-770",
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-08T20:45:51Z",
"nvd_published_at": "2025-09-08T22:15:33Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe Fides Webserver API\u0027s built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service.\n\nThis vulnerability only affects deployments relying on Fides\u0027s built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected.\n\n### Details\n\nThe vulnerability has two components:\n\n1. Rate limiting uses the immediate connection source IP instead of the actual client IP\n2. Rate limit counters are maintained in-memory per container rather than in a shared store\n\nIn production environments, these issues allow clients to exceed intended rate limits and enable attackers to trigger rate limits on infrastructure IPs, causing legitimate clients to receive 429 responses.\n\n### Impact\n\nThis vulnerability affects availability, allowing attackers to:\n\n- Bypass rate limits, potentially leading to resource exhaustion\n- Cause a denial of service for legitimate clients by deliberately triggering rate limits on infrastructure IPs\n\n### Patches\n\nThe vulnerability has been patched in Fides version `2.69.1`. Users are advised to upgrade to this version or later to secure their systems against this threat.\n\n### Workarounds\n\nThere are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology.\n\n### Risk Level\n\nThis vulnerability has been assigned a severity of MEDIUM.",
"id": "GHSA-fq34-xw6c-fphf",
"modified": "2025-09-13T04:41:24Z",
"published": "2025-09-08T20:45:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57816"
},
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
},
{
"type": "PACKAGE",
"url": "https://github.com/ethyca/fides"
},
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Fides Webserver API Rate Limiting Vulnerability in Proxied Environments"
}
GHSA-GJG5-GGC5-2G7V
Vulnerability from github – Published: 2025-02-14 12:31 – Updated: 2025-02-14 12:31This vulnerability exists in RupeeWeb trading platform due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/ flooding on the targeted system.
{
"affected": [],
"aliases": [
"CVE-2025-26524"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-14T12:15:29Z",
"severity": "MODERATE"
},
"details": "This vulnerability exists in RupeeWeb trading platform due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/ flooding on the targeted system.",
"id": "GHSA-gjg5-ggc5-2g7v",
"modified": "2025-02-14T12:31:39Z",
"published": "2025-02-14T12:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26524"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2025-0020"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.