CWE-407 · Inefficient Algorithmic Complexity

103 CVEs classified under CWE-407 (Inefficient Algorithmic Complexity). Browse by severity and year.

Top CVEs for CWE-407
CVESeverityScorePublishedSummary
CVE-2023-46136High8.02023-10-25Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a…
CVE-2026-13311High7.52026-06-25shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire gro…
CVE-2026-49851High7.52026-06-24Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately…
CVE-2026-48516High7.52026-06-22MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TK…
CVE-2026-48511High7.52026-06-22MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by…
CVE-2026-48502High7.52026-06-22MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attac…
CVE-2026-53539High7.52026-06-22Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located…
CVE-2026-49293High7.52026-06-19js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary intege…
CVE-2026-41850High7.52026-06-09Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a…
CVE-2026-8889High7.52026-06-03Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashe…
CVE-2026-42504High7.52026-06-02Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
CVE-2026-44378High7.52026-05-27Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser…
CVE-2026-48959High7.52026-05-27IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the di…
CVE-2026-41292High7.52026-05-20NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options…
CVE-2026-42304High7.52026-05-13Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial o…
CVE-2026-42245High7.52026-05-09Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseRead…
CVE-2026-43967High7.52026-05-08Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness v…
CVE-2026-40476High7.52026-04-17graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise compariso…
CVE-2025-67841High7.52026-04-15Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue.
CVE-2026-40164High7.52026-04-14jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432…