CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2026-42183 – Argo Workflows: SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go)
https://notcve.org/view.php?id=CVE-2026-42183
09 May 2026 — From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users whose claims match a namespace-level RBAC rule but not an SSO-namespace rule, when SSO_DELEGATE_RBAC_TO_NAMESPACE=true. • https://github.com/argoproj/argo-workflows/commit/c4cc17d0c034fa9a9cc01ef1af6c8016c93071d4 • CWE-476: NULL Pointer Dereference •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-42343 – FastGPT: Uncontrolled Resource Consumption leading to Sandbox Exhaustion
https://notcve.org/view.php?id=CVE-2026-42343
08 May 2026 — The service relies solely on an application-level soft limit (a 500ms polling interval) for memory management and lacks strict OS-level constraints such as cgroups or kernel-level namespaces. This architectural weakness allows attackers to easily bypass memory checks via time-window attacks, or exhaust the entire JavaScript worker pool via concurrent CPU-intensive requests, resulting in a complete Denial of Service (DoS) for legitimate users. At time of
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-42209 – FlashMQ: Division by zero crash when using non-default deferred retained message setting
https://notcve.org/view.php?id=CVE-2026-42209
08 May 2026 — Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values, resulting in denial of service. • https://github.com/halfgaar/FlashMQ/commit/193b6e7767889511cfa8e933908ea5e6a1077a1f • CWE-369: Divide By Zero •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-42212 – SolidCAM-GPPL-IDE: XML External Entity (XXE) and billion-laughs DoS in VMID parser
https://notcve.org/view.php?id=CVE-2026-42212
08 May 2026 — A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. • https://github.com/anzory/SolidCAM-GPPL-IDE/blob/master/CHANGELOG.md#102--2026-04-20 • CWE-400: Uncontrolled Resource Consumption CWE-611: Improper Restriction of XML External Entity Reference CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2026-42189 – Russh: Pre-auth DoS via unbounded allocation in keyboard-interactive auth
https://notcve.org/view.php?id=CVE-2026-42189
08 May 2026 — Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. • https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1 • CWE-770: Allocation of Resources Without Limits or Throttling CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 0CVE-2026-41511 – OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle
https://notcve.org/view.php?id=CVE-2026-41511
08 May 2026 — Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. • https://github.com/openmcdf/openmcdf/commit/24f445a557fc4f46461cf6d02d296cce16c293a0 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 8.8EPSS: 0%CPEs: 13EXPL: 0CVE-2026-29203
https://notcve.org/view.php?id=CVE-2026-29203
08 May 2026 — That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory. • https://support.cpanel.net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203-cPanel-WHM-WP2-Security-Update-May-08-2026 • CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2026-42793 – Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
https://notcve.org/view.php?id=CVE-2026-42793
08 May 2026 — Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. • https://cna.erlef.org/cves/CVE-2026-42793.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2026-43967 – Quadratic fragment-name uniqueness check causes denial of service in absinthe
https://notcve.org/view.php?id=CVE-2026-43967
08 May 2026 — Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. ... /2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller. • https://cna.erlef.org/cves/CVE-2026-43967.html • CWE-407: Inefficient Algorithmic Complexity •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2026-41683 – HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header
https://notcve.org/view.php?id=CVE-2026-41683
08 May 2026 — i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback... • https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-c3h8-g69v-pjrg • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •