CVE-2026-49955
Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade se
CVSS
5.3
Medio
EPSS
0.6%
p44
KEV
—
Exploit Today
13
0-100
Publicado: 9 jun 2026 · Última mod.: 14 jul 2026 · CWE-770
0.6%EPSS · 30 días0.6%
2026-06-302026-07-17
Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites.
- github.comhttps://github.com/nesquena/hermes-webui/commit/58528a4d88b0fa4f7b822e31d6051c669769bd3b
- github.comhttps://github.com/nesquena/hermes-webui/pull/3624
- github.comhttps://github.com/nesquena/hermes-webui/pull/3674
- github.comhttps://github.com/nesquena/hermes-webui/releases/tag/v0.51.270
- www.vulncheck.comhttps://www.vulncheck.com/advisories/hermes-webui-resource-exhaustion-via-passkey-options
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-217107.5 ALT97.8%
——29A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.
When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.
* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**3dCVE-2026-261307.5 ALT85.0%
——25Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.3dCVE-2026-489337.5 ALT84.9%
——25A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.2dCVE-2026-455917.5 ALT82.4%
——25Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.3dCVE-2021-366307.5 ALT80.5%
——24DDOS reflection amplification vulnerability in eAut module of Ruckus Wireless SmartZone controller that allows remote attackers to perform DOS attacks via crafted request.9dCVE-2025-97847.5 ALT80.3%
——24A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).18d