CVE-2026-54775
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service li
CVSS
6.5
Medium
EPSS
0.3%
p26
KEV
—
Exploit Today
8
0-100
Published: Jul 8, 2026 · Last modified: Jul 9, 2026 · CWE-248 · CWE-754 · CWE-755
0.3%EPSS · 30 days0.3%
2026-07-092026-07-16
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service listening on a Kafka topic stops processing new records from that topic when KafkaTransportPump receives a null-value tombstone record, causing a persistent endpoint denial of service for attackers with produce permission. This issue is fixed in versions 1.8.1 and 1.9.1.
- github.comhttps://github.com/CoreWCF/CoreWCF/commit/1a229d0d14a07766302f7d14c866889f04a3a624
- github.comhttps://github.com/CoreWCF/CoreWCF/commit/6d7431ebc0ebe6521ea6d0dbea8982bac3d2bc98
- github.comhttps://github.com/CoreWCF/CoreWCF/commit/8f95f3ac3c929409e830b5c5659683ef9f6ea6b0
- github.comhttps://github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1
- github.comhttps://github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1
- github.comhttps://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-m744-jhq9-ppw6
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2024-219077.5 HIG98.2%
——29Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.2dCVE-2025-594657.5 HIG88.7%
——27A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:
```
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
```2dCVE-2026-256397.5 HIG82.9%
——25Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.11hCVE-2026-59467.5 HIG76.2%
——23Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.2dCVE-2026-236667.5 HIG67.8%
——20Improper input validation in .NET Framework allows an unauthorized attacker to deny service over a network.2dCVE-2026-503287.5 HIG64.8%
——19Uncaught exception in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network.1d