Total
1286 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-32777 | 2025-04-30 | N/A | ||
| Volcano is a Kubernetes-native batch scheduling system. Prior to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2, attacker compromise of either the Elastic service or the extender plugin can cause denial of service of the scheduler. This is a privilege escalation, because Volcano users may run their Elastic service and extender plugins in separate pods or nodes from the scheduler. In the Kubernetes security model, node isolation is a security boundary, and as such an attacker is able to cross that boundary in Volcano's case if they have compromised either the vulnerable services or the pod/node in which they are deployed. The scheduler will become unavailable to other users and workloads in the cluster. The scheduler will either crash with an unrecoverable OOM panic or freeze while consuming excessive amounts of memory. This issue has been patched in versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2. | ||||
| CVE-2025-26682 | 2025-04-30 | 7.5 High | ||
| Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. | ||||
| CVE-2024-52920 | 1 Bitcoin | 1 Bitcoin Core | 2025-04-30 | 7.5 High |
| Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (infinite loop) via a malformed GETDATA message. | ||||
| CVE-2024-52917 | 1 Bitcoin | 1 Bitcoin Core | 2025-04-30 | 6.5 Medium |
| Bitcoin Core before 22.0 has a miniupnp infinite loop in which it allocates memory on the basis of random data received over the network, e.g., large M-SEARCH replies from a fake UPnP device. | ||||
| CVE-2024-52916 | 1 Bitcoin | 1 Bitcoin Core | 2025-04-30 | 7.5 High |
| Bitcoin Core before 0.15.0 allows a denial of service (OOM kill of a daemon process) via a flood of minimum difficulty headers. | ||||
| CVE-2024-52915 | 1 Bitcoin | 1 Bitcoin Core | 2025-04-30 | 7.5 High |
| Bitcoin Core before 0.20.0 allows remote attackers to cause a denial of service (memory consumption) via a crafted INV message. | ||||
| CVE-2024-52914 | 1 Bitcoin | 1 Bitcoin Core | 2025-04-30 | 7.5 High |
| In Bitcoin Core before 0.18.0, a node could be stalled for hours when processing the orphans of a crafted unconfirmed transaction. | ||||
| CVE-2024-52913 | 1 Bitcoin | 1 Bitcoin Core | 2025-04-30 | 5.3 Medium |
| In Bitcoin Core before 0.21.0, an attacker could prevent a node from seeing a specific unconfirmed transaction, because transaction re-requests are mishandled. | ||||
| CVE-2022-43686 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 6.5 Medium |
| In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). | ||||
| CVE-2025-24341 | 2025-04-30 | 6.5 Medium | ||
| A vulnerability in the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to induce a Denial-of-Service (DoS) condition on the device via multiple crafted HTTP requests. In the worst case, a full power cycle is needed to regain control of the device. | ||||
| CVE-2025-30202 | 2025-04-30 | 7.5 High | ||
| vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.5.2 and prior to 0.8.5 are vulnerable to denial of service and data exposure via ZeroMQ on multi-node vLLM deployment. In a multi-node vLLM deployment, vLLM uses ZeroMQ for some multi-node communication purposes. The primary vLLM host opens an XPUB ZeroMQ socket and binds it to ALL interfaces. While the socket is always opened for a multi-node deployment, it is only used when doing tensor parallelism across multiple hosts. Any client with network access to this host can connect to this XPUB socket unless its port is blocked by a firewall. Once connected, these arbitrary clients will receive all of the same data broadcasted to all of the secondary vLLM hosts. This data is internal vLLM state information that is not useful to an attacker. By potentially connecting to this socket many times and not reading data published to them, an attacker can also cause a denial of service by slowing down or potentially blocking the publisher. This issue has been patched in version 0.8.5. | ||||
| CVE-2025-2559 | 1 Redhat | 2 Build Keycloak, Red Hat Single Sign On | 2025-04-30 | 4.9 Medium |
| A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system. | ||||
| CVE-2022-3480 | 1 Phoenixcontact | 62 Fl Mguard Centerport, Fl Mguard Centerport Firmware, Fl Mguard Centerport Vpn-1000 and 59 more | 2025-04-29 | 7.5 High |
| A remote, unauthenticated attacker could cause a denial-of-service of PHOENIX CONTACT FL MGUARD and TC MGUARD devices below version 8.9.0 by sending a larger number of unauthenticated HTTPS connections originating from different source IP’s. Configuring firewall limits for incoming connections cannot prevent the issue. | ||||
| CVE-2025-30409 | 2025-04-29 | N/A | ||
| Denial of service due to allocation of resources without limits. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39904. | ||||
| CVE-2025-35965 | 2025-04-29 | 6.5 Medium | ||
| Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition. | ||||
| CVE-2025-21605 | 2025-04-29 | 7.5 High | ||
| Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates. | ||||
| CVE-2025-0639 | 1 Gitlab | 1 Gitlab | 2025-04-29 | 6.5 Medium |
| An issue has been discovered affecting service availability via issue preview in GitLab CE/EE affecting all versions from 16.7 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1. | ||||
| CVE-2025-43857 | 2025-04-29 | 6.5 Medium | ||
| Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads server responses. At any time while the client is connected, a malicious server can send can send a "literal" byte count, which is automatically read by the client's receiver thread. The response reader immediately allocates memory for the number of bytes indicated by the server response. This should not be an issue when securely connecting to trusted IMAP servers that are well-behaved. It can affect insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname). This issue has been patched in versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5. | ||||
| CVE-2025-46687 | 2025-04-29 | 5.6 Medium | ||
| quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected. | ||||
| CVE-2022-22488 | 1 Ibm | 6 Power System Ac922 \(8335-gtg\), Power System Ac922 \(8335-gtg\) Firmware, Power System Ac922 \(8335-gth\) and 3 more | 2025-04-28 | 4.9 Medium |
| IBM OpenBMC OP910 and OP940 could allow a privileged user to cause a denial of service by uploading or deleting too many CA certificates in a short period of time. IBM X-Force ID: 2226337. | ||||