CWE-407 · Inefficient Algorithmic Complexity
103 CVEs classified under CWE-407 (Inefficient Algorithmic Complexity). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-46136 | High | 8.0 | 2023-10-25 | Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a… |
CVE-2026-13311 | High | 7.5 | 2026-06-25 | shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire gro… |
CVE-2026-49851 | High | 7.5 | 2026-06-24 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately… |
CVE-2026-48516 | High | 7.5 | 2026-06-22 | MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TK… |
CVE-2026-48511 | High | 7.5 | 2026-06-22 | MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by… |
CVE-2026-48502 | High | 7.5 | 2026-06-22 | MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attac… |
CVE-2026-53539 | High | 7.5 | 2026-06-22 | Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located… |
CVE-2026-49293 | High | 7.5 | 2026-06-19 | js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary intege… |
CVE-2026-41850 | High | 7.5 | 2026-06-09 | Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a… |
CVE-2026-8889 | High | 7.5 | 2026-06-03 | Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashe… |
CVE-2026-42504 | High | 7.5 | 2026-06-02 | Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. |
CVE-2026-44378 | High | 7.5 | 2026-05-27 | Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser… |
CVE-2026-48959 | High | 7.5 | 2026-05-27 | IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the di… |
CVE-2026-41292 | High | 7.5 | 2026-05-20 | NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options… |
CVE-2026-42304 | High | 7.5 | 2026-05-13 | Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial o… |
CVE-2026-42245 | High | 7.5 | 2026-05-09 | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseRead… |
CVE-2026-43967 | High | 7.5 | 2026-05-08 | Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness v… |
CVE-2026-40476 | High | 7.5 | 2026-04-17 | graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise compariso… |
CVE-2025-67841 | High | 7.5 | 2026-04-15 | Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue. |
CVE-2026-40164 | High | 7.5 | 2026-04-14 | jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432… |