EUVD-2026-39568

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access...

CVE-2026-50176

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access...

CVE-2026-50176 EVoke Systems EVoke CSMS Improper Restriction of Excessive Authentication Attempts

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access...

CVE-2026-50176

The CVE-2026-50176 entry concerns the WebSocket API which lacks a limit on the number of authentication requests. This absence of rate limiting can enable denial-of-service or brute-force attempts to gain unauthorized access. The issue is rated HIGH severity (CVSS v3.1: 7.5; CVSS v4.0: 8.7) with ...

CVE-2026-54037 LibreChat: Incomplete Fix for CVE-2025-7105 — /api/convos/duplicate Lacks Rate Limiting Applied to /api/convos/fork

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter rate limiters to POST /api/convos/fork to prevent rapid-fire conversation duplication. However, the POST /api/convos/duplicate endpoint...

CVE-2026-54037

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter rate limiters to POST /api/convos/fork to prevent rapid-fire conversation duplication. However, the POST /api/convos/duplicate endpoint...

CVE-2026-54037

LibreChat (a multi-provider ChatGPT-like app) contains a missing rate limiter in POST /api/convos/duplicate, which performs the same expensive DB operations as POST /api/convos/fork. The fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter to /fork, but did not apply a corresponding limi...

CVE-2026-56234

Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validatepasswordcompliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate...

CVE-2026-56234

Capgo prior to 12.128.2 exposes a credential validation endpoint (POST /functions/v1/private/validate_password_compliance) that is accessible with only the public Supabase key and lacks authentication. The endpoint uses permissive CORS with a wildcard origin and has no rate limiting, which enable...

CVE-2026-56255

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement. Attackers can repeatedly invoke this endpoint to generate...

CVE-2026-56450

CVE-2026-56450 relates to the AIL Framework where the OTP (2FA) verification lacked rate-limiting, allowing unlimited OTP attempts after reaching the 2FA step. Root cause: no per-user throttling on failed OTPs. Impact: potential brute-force of OTPs enabling unauthorized access. The patch adds per...

PT-2026-51403

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description A denial of service issue exists in the 'POST /app/demo' endpoint. Authenticated users with organization write permissions can create an unlimited number of demo applications because the system lack...

Astra Linux – Vulnerability in jsoup

jsoup is a Java library for working with HTML. Users of jsoup versions prior to 1.14.2 who parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user-supplied input, an attacker may provide content that causes the parser to become stuck loop indefinitely until...

Astra Linux – Vulnerability in Firefox and Thunderbird

Repeatedly writing to the history interface attributes could have caused a denial-of-service condition in the browser. This issue was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox 132, Firefox ESR 128.4, Thunderbird 128.4, and Thunderbird 132...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: dma-debug: prevents an error message from causing runtime problems. For some drivers that use the DMA API, this error message can occur several million times per second. This can lead to excessive use of the kernel’s printk buffe...

Brute Force Attack

Yamcs Core is vulnerable to Brute Force Attack. The vulnerability is due to the absence of rate limiting, account lockout, and failed login throttling on the /auth/token endpoint, which allows an attacker to perform unlimited password-guessing attempts and conduct brute-force attacks against user...

EUVD-2026-32916

PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values DoS...

CVE-2026-5233

The CVE describes an input/output flood condition in Mia Technologies’ Pizzy Library (affected from 1.0.0.26250 up to, but not including, 1.3.9.26250) caused by missing rate limiting / improper control of interaction frequency. This vulnerability can enable flooding, with CVSS v3.1 Base Score 7.1...

CVE-2026-5233 Missing Rate Limiting in Mia Technologies' Pizzy Library

Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250...

CVE-2026-5233 Missing Rate Limiting in Mia Technologies' Pizzy Library

Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250...