CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-22773 – vLLM is vulnerable to DoS in Idefics3 vision models via image payload with ambiguous dimensions
https://notcve.org/view.php?id=CVE-2026-22773
10 Jan 2026 — vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0. • https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-22701 – filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
https://notcve.org/view.php?id=CVE-2026-22701
10 Jan 2026 — During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. • https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-22693 – Null Pointer Dereference in SubtableUnicodesCache::create leading to DoS
https://notcve.org/view.php?id=CVE-2026-22693
10 Jan 2026 — HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then atte... • https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2026-22700 – RustCrypto Has Insufficient Length Validation in decrypt() in SM2-PKE
https://notcve.org/view.php?id=CVE-2026-22700
10 Jan 2026 — In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 public-key encryption (PKE) implementation: the decrypt() path performs unchecked slice::split_at operations on input buffers derived from untrusted ciphertext. • https://github.com/RustCrypto/elliptic-curves/commit/e60e99167a9a2b187ebe80c994c5204b0fdaf4ab • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2026-22699 – RustCrypto SM2-PKE has Unchecked AffinePoint Decoding (unwrap) in decrypt()
https://notcve.org/view.php?id=CVE-2026-22699
10 Jan 2026 — In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 PKE decryption path where an invalid elliptic-curve point (C1) is decoded and the resulting value is unwrapped without checking. • https://github.com/RustCrypto/elliptic-curves/commit/085b7bee647029bd189e1375203418205006bcab • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-65091 – XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService
https://notcve.org/view.php?id=CVE-2025-65091
10 Jan 2026 — Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. • https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 2.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-46643
https://notcve.org/view.php?id=CVE-2025-46643
09 Jan 2026 — A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service. • https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities • CWE-122: Heap-based Buffer Overflow •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-66050 – No password set for administrative account in Vivotek IP7137 cameras
https://notcve.org/view.php?id=CVE-2025-66050
09 Jan 2026 — Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. ... Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. • https://cert.pl/posts/2026/01/CVE-2025-66049 • CWE-1393: Use of Default Password •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 1CVE-2025-10569 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2025-10569
09 Jan 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls. • https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2025-67133
https://notcve.org/view.php?id=CVE-2025-67133
09 Jan 2026 — An issue in Hero Motocorp Vida V1 Pro 2.0.7 allows a local attacker to cause a denial of service via the BLE component • https://threadpoolx.gitbook.io/docs/cve/cve-2025-67133-denial-of-service-via-unauthenticated-ble-connection • CWE-400: Uncontrolled Resource Consumption •