CVEs classified under CWE-407, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-58226: Inefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via unbounded HPACK integer…
CVE-2026-54892: Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service…
CVE-2026-59094 — CVSS 7.5 (high): Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a…
CVE-2026-53433 — CVSS 7.5 (high): fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body…
CVE-2026-13311 — CVSS 7.5 (high): shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and…
CVE-2026-48516 — CVSS 7.5 (high): MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an…
CVE-2026-48511 — CVSS 7.5 (high): MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates…
CVE-2026-41850 — CVSS 7.5 (high): Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service…
CVE-2026-8889 — CVSS 7.5 (high): Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist…
CVE-2026-42504 — CVSS 7.5 (high): Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
CVE-2026-44378 — CVSS 7.5 (high): Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic…
CVE-2026-48959 — CVSS 7.5 (high): IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares…
CVE-2026-41292 — CVSS 7.5 (high): NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of…
CVE-2026-42245 — CVSS 7.5 (high): Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4…
CVE-2026-43967 — CVSS 7.5 (high): Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic…
CVE-2026-40476 — CVSS 7.5 (high): graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs…
CVE-2025-67841 — CVSS 7.5 (high): Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue.
CVE-2026-31937 — CVSS 7.5 (high): Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance…
CVE-2026-31934 — CVSS 7.5 (high): Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, there is a quadratic complexity issue when…
CVE-2026-31933 — CVSS 7.5 (high): Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, specially crafted traffic can cause Suricata to slow…
CVE-2026-31932 — CVSS 7.5 (high): Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance…
CVE-2026-34573 — CVSS 7.5 (high): Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and…
CVE-2026-3988 — CVSS 7.5 (high): GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1…
CVE-2026-27903 — CVSS 7.5 (high): minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7…
CVE-2026-1285 — CVSS 7.5 (high): An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and…
CVE-2025-14550 — CVSS 7.5 (high): An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a…
CVE-2025-64460 — CVSS 7.5 (high): An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xm…
CVE-2025-11230 — CVSS 7.5 (high): Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON…
CVE-2025-64458 — CVSS 7.5 (high): An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As…
CVE-2025-58187 — CVSS 7.5 (high): Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size…
CVE-2025-62727 — CVSS 7.5 (high): Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can…
CVE-2025-27209 — CVSS 7.5 (high): The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the…
CVE-2024-8233 — CVSS 7.5 (high): An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An…
CVE-2023-4408 — CVSS 7.5 (high): The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for…
CVE-2024-23684 — CVSS 7.5 (high): Inefficient algorithmic complexity in DecodeFromBytes function in com.upokecenter.cbor Java implementation of Concise Binary Object…
CVE-2024-21909 — CVSS 7.5 (high): PeterO.Cbor versions 4.0.0 through 4.5.0 are vulnerable to a denial of service vulnerability. An attacker may trigger the denial of service…
CVE-2022-45061 — CVSS 7.5 (high): An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the…
CVE-2022-40188 — CVSS 7.5 (high): Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. During…
CVE-2022-39209 — CVSS 7.5 (high): cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a…
CVE-2022-22153 — CVSS 7.5 (high): An Insufficient Algorithmic Complexity combined with an Allocation of Resources Without Limits or Throttling vulnerability in the flow…
CVE-2021-33582 — CVSS 7.5 (high): Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled…
CVE-2018-12558 — CVSS 7.5 (high): The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input…
CVE-2017-11343 — CVSS 7.5 (high): Due to an incomplete fix for CVE-2012-6125, all versions of CHICKEN Scheme up to and including 4.12.0 are vulnerable to an algorithmic…
CVE-2016-10396 — CVSS 7.5 (high): The racoon daemon in IPsec-Tools 0.8.2 contains a remotely exploitable computational-complexity attack when parsing and storing ISAKMP…
CVE-2026-35599 — CVSS 6.5 (medium): Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that…
CVE-2026-33033 — CVSS 6.5 (medium): An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade…