CWE-770: Allocation of Resources Without Limits or Throttling — known CVE vulnerabilities
CVEs classified under CWE-770 (Allocation of Resources Without Limits or Throttling), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-31283 — CVSS 9.8 (critical): In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used…
CVE-2020-37067 — CVSS 9.8 (critical): Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers to crash the…
CVE-2021-47875 — CVSS 9.8 (critical): GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by generating a…
CVE-2025-11832 — CVSS 9.8 (critical): Allocation of Resources Without Limits or Throttling vulnerability in Azure Access Technology BLU-IC2, Azure Access Technology BLU-IC4…
CVE-2024-44241 — CVSS 9.8 (critical): The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1. An attacker may…
CVE-2022-3439 — CVSS 9.8 (critical): Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.
CVE-2022-3456 — CVSS 9.8 (critical): Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.
CVE-2022-29503 — CVSS 9.8 (critical): A memory corruption vulnerability exists in the libpthread linuxthreads functionality of uClibC 0.9.33.2 and uClibC-ng 1.0.40. Thread…
CVE-2019-17067 — CVSS 9.8 (critical): PuTTY before 0.73 on Windows improperly opens port-forwarding listening sockets, which allows attackers to listen on the same port to steal…
CVE-2018-20033 — CVSS 9.8 (critical): A Remote Code Execution vulnerability in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier could allow…
CVE-2017-6713 — CVSS 9.8 (critical): A vulnerability in the Play Framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to gain…
CVE-2017-6640 — CVSS 9.8 (critical): A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the…
CVE-2026-12818: Delta Electronics DVP12SE PLCs are susceptible to a resource allocation vulnerability without limits or throttling (CWE-770) within their…
CVE-2025-22273: Application does not limit the number or frequency of user interactions, such as the number of incoming requests. At the…
CVE-2025-68456 — CVSS 9.1 (critical): Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users…
CVE-2024-38821 — CVSS 9.1 (critical): Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances…
CVE-2024-6037 — CVSS 9.1 (critical): A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240410 allows an attacker to create arbitrary folders at any location on the…
CVE-2023-27958 — CVSS 9.1 (critical): The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur…
CVE-2022-46416 — CVSS 9.1 (critical): Parrot Bebop 4.7.1. allows remote attackers to prevent legitimate terminal connections by exhausting the DHCP IP address pool. To…
CVE-2019-15753 — CVSS 9.1 (critical): In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing…
CVE-2023-43632 — CVSS 9.0 (critical): As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port 8877 in EVE, exposing limited…
CVE-2023-5289 — CVSS 8.8 (high): Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.8.4.
CVE-2021-34735 — CVSS 8.8 (high): Multiple vulnerabilities in the Cisco ATA 190 Series Analog Telephone Adapter Software could allow an attacker to perform a command…
CVE-2020-24994 — CVSS 8.8 (high): Stack overflow in the parse_tag function in libass/ass_parse.c in libass before 0.15.0 allows remote attackers to cause a denial of service…
CVE-2019-5031 — CVSS 8.8 (high): An exploitable memory corruption vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader, version 9.4.1.16828. A…
CVE-2019-9291 — CVSS 8.8 (high): In Bluetooth, there is a possible remote code execution due to an improper memory allocation. This could lead to remote code execution in…
CVE-2019-10088 — CVSS 8.8 (high): A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade…
CVE-2019-7582 — CVSS 8.8 (high): The readBytes function in util/read.c in libming through 0.4.8 allows remote attackers to have unspecified impact via a crafted swf file…
CVE-2019-7581 — CVSS 8.8 (high): The parseSWF_ACTIONRECORD function in util/parser.c in libming through 0.4.8 allows remote attackers to have unspecified impact via a…
CVE-2026-56811: Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix (Phoenix.Socket module) allows an…
CVE-2026-56810: Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via…
CVE-2026-48854: Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the…
CVE-2026-43973: Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via…
CVE-2026-44499: ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block…
CVE-2026-32689: Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll…
CVE-2026-42786: Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via…
CVE-2026-39313: mcp-framework is a framework for building Model Context Protocol (MCP) servers. In versions 0.2.21 and below, the readRequestBody()…
CVE-2025-9368: A security issue exists within 432ES-IG3 Series A, which affects GuardLink® EtherNet/IP Interface, resulting in denial-of-service. A…
CVE-2025-12385: Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt…
CVE-2025-46807: A Allocation of Resources Without Limits or Throttling vulnerability in sslh allows attackers to easily exhaust the file descriptors in…
CVE-2024-47874: Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats…
CVE-2024-7113: If exploited, this vulnerability could cause a SuiteLink server to consume excessive system resources and slow down processing of Data I/O…
CVE-2025-7737 — CVSS 8.6 (high): DoS Vulnerability in 10G iSCSI Interface of Hitachi Virtual Storage Platform. This issue affects Hitachi Virtual Storage Platform E990…
CVE-2026-20103 — CVSS 8.6 (high): A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure…
CVE-2025-26819 — CVSS 8.6 (high): Monero through 0.18.3.4 before ec74ff4 does not have response limits on HTTP server connections.
CVE-2024-37358 — CVSS 8.6 (high): Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and…
CVE-2024-38286 — CVSS 8.6 (high): Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1…