Threats Tagged 'cwe-404'

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. This vulnerability is fixed in 3.14.1.

CVE-2026-11317 is a high-severity denial of service vulnerability in Rockwell Automation CompactLogix and ControlLogix devices. The issue arises from improper resource shutdown or release when a specially crafted CIP message is processed. Devices with limited memory are more susceptible, potentially causing a major nonrecoverable fault that requires a program download to recover. No patch or official remediation has been confirmed yet.

Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allow a local attacker to potentially compromise the agent daemon initialization. CyberArk Security Bulletin: CA26-19

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. In versions 0.8.2 and prior, Boxlite allows users to configure a timeout for services running inside the virtual machine. When the timeout is triggered, Boxlite sends a signal to kill the process. However, instead of using the uncatchable SIGKILL signal, Boxlite uses the catchable SIGALRM signal. Malicious code running inside the sandbox can exploit this vulnerability to continue running after the timeout is triggered, leading to resource exhaustion within the virtual machine and affecting the availability of the Boxlite service. This issue has been patched via commit 28159fc.

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

CVE-2026-45090 is a race condition vulnerability in hahwul dalfox versions prior to 2.13.0. The issue arises because two sequential worker stages write to the same results channel, which is closed after the first stage, causing the second stage to write to a closed channel. This triggers a Go runtime panic that crashes the dalfox process. In server mode, this crash can be remotely triggered by unauthenticated callers via the REST API if the default configuration is used without an API key and the attacker supplies POST-body data that is reflected by the target. The vulnerability is fixed in version 2.13.0.