CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2026-45186
https://notcve.org/view.php?id=CVE-2026-45186
10 May 2026 — In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. • https://github.com/libexpat/libexpat/pull/1216 • CWE-407: Inefficient Algorithmic Complexity •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-7263 – DoS attack via DOMNode::C14N()
https://notcve.org/view.php?id=CVE-2026-7263
10 May 2026 — This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application. • https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733 • CWE-404: Improper Resource Shutdown or Release CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-7258 – Out-of-bounds read in urldecode() on NetBSD
https://notcve.org/view.php?id=CVE-2026-7258
10 May 2026 — On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service. • https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4 • CWE-125: Out-of-bounds Read •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-7259 – Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
https://notcve.org/view.php?id=CVE-2026-7259
10 May 2026 — .* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. • https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75 • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-7262 – NULL pointer dereference in SOAP apache:Map decoder with missing <value>
https://notcve.org/view.php?id=CVE-2026-7262
10 May 2026 — .* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. ... This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service. • https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv • CWE-476: NULL Pointer Dereference •
CVSS: 6.0EPSS: 0%CPEs: 3EXPL: 0CVE-2026-42256 – net-imap: Denial of service via high iteration count for `SCRAM-*` authentication
https://notcve.org/view.php?id=CVE-2026-42256
09 May 2026 — From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. • https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612 • CWE-770: Allocation of Resources Without Limits or Throttling CWE-1322: Use of Blocking Code in Single-threaded, Non-blocking Context •
CVSS: 2.3EPSS: 0%CPEs: 3EXPL: 0CVE-2026-42245 – net-imap: Quadratic complexity when reading response literals
https://notcve.org/view.php?id=CVE-2026-42245
09 May 2026 — A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. • https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96 • CWE-407: Inefficient Algorithmic Complexity •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-42310 – Pillow: PDF Parsing Trailer Infinite Loop (DoS)
https://notcve.org/view.php?id=CVE-2026-42310
09 May 2026 — Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0. • https://github.com/python-pillow/Pillow/commit/3bf614e4b8615d0ce1d5039efaf6db447fe7c468 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2026-41311 – LiquidJS is vulnerable to Denial of Service via circular block reference in layout
https://notcve.org/view.php?id=CVE-2026-41311
09 May 2026 — Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. • https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0 • CWE-674: Uncontrolled Recursion •
CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 1CVE-2026-42294 – Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor
https://notcve.org/view.php?id=CVE-2026-42294
09 May 2026 — ., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. • https://github.com/argoproj/argo-workflows/commit/7abb4de6c3599e2d5d960ba4d5de4cf1df109965 • CWE-770: Allocation of Resources Without Limits or Throttling •