Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities found for decimal by ericmj

    CVE-2026-32686 (GCVE-0-2026-32686)

    Vulnerability from nvd – Published: 2026-05-07 14:04 – Updated: 2026-05-27 15:40
    VLAI
    Title
    Unbounded exponent in decimal enables unauthenticated DoS
    Summary
    Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM. Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash. This issue affects decimal: from 0.1.0 before 3.0.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    ericmj decimal Affected: 0.1.0 , < 3.0.0 (semver)
        cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*
    Create a notification for this product.
    ericmj decimal Affected: bc11f4a2b6fb61fc1360a0ab4e79141bba918841 , < 6a523f3a73b8c9974540e21c7aa88f1258bb35ae (git)
        cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Eric Meadows-Jönsson / Hex.pm José Valim Wojtek Mach Jonatan Männchen / EEF ruslandoga Matthew Johnston
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32686",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T22:42:13.343081Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T22:43:03.396Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "affected",
              "modules": [
                "\u0027Elixir.Decimal\u0027"
              ],
              "packageName": "decimal",
              "packageURL": "pkg:hex/decimal",
              "product": "decimal",
              "programFiles": [
                "lib/decimal.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Decimal\u0027:new/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:parse/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:cast/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:add/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:sub/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:div/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:to_string/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:to_integer/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:round/3"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:compare/3"
                }
              ],
              "repo": "https://github.com/ericmj/decimal",
              "vendor": "ericmj",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "affected",
              "modules": [
                "\u0027Elixir.Decimal\u0027"
              ],
              "packageName": "ericmj/decimal",
              "packageURL": "pkg:github/ericmj/decimal",
              "product": "decimal",
              "programFiles": [
                "lib/decimal.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Decimal\u0027:new/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:parse/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:cast/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:add/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:sub/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:div/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:to_string/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:to_integer/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:round/3"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:compare/3"
                }
              ],
              "repo": "https://github.com/ericmj/decimal",
              "vendor": "ericmj",
              "versions": [
                {
                  "lessThan": "6a523f3a73b8c9974540e21c7aa88f1258bb35ae",
                  "status": "affected",
                  "version": "bc11f4a2b6fb61fc1360a0ab4e79141bba918841",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.0.0",
                      "versionStartIncluding": "0.1.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "AND"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Eric Meadows-J\u00f6nsson / Hex.pm"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Jos\u00e9 Valim"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Wojtek Mach"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "ruslandoga"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Matthew Johnston"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.\u003cp\u003eThe \u003ctt\u003edecimal\u003c/tt\u003e library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. \u003ctt\u003eDecimal.new(\"1e1000000000\")\u003c/tt\u003e) is accepted without error. Subsequent calls to arithmetic functions (\u003ctt\u003eDecimal.add/2\u003c/tt\u003e, \u003ctt\u003eDecimal.sub/2\u003c/tt\u003e, \u003ctt\u003eDecimal.div/2\u003c/tt\u003e), \u003ctt\u003eDecimal.to_string/2\u003c/tt\u003e with \u003ctt\u003e:normal\u003c/tt\u003e or \u003ctt\u003e:xsd\u003c/tt\u003e format, \u003ctt\u003eDecimal.to_integer/1\u003c/tt\u003e, \u003ctt\u003eDecimal.round/3\u003c/tt\u003e, or \u003ctt\u003eDecimal.compare/3\u003c/tt\u003e with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM.\u003c/p\u003e\u003cp\u003eAny application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash.\u003c/p\u003e\u003cp\u003eThis issue affects decimal: from 0.1.0 before 3.0.0.\u003c/p\u003e"
                }
              ],
              "value": "Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.\n\nThe decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new(\"1e1000000000\")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM.\n\nAny application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash.\n\nThis issue affects decimal: from 0.1.0 before 3.0.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:40:44.556Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-32686.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-32686"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/ericmj/decimal/commit/6a523f3a73b8c9974540e21c7aa88f1258bb35ae"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unbounded exponent in decimal enables unauthenticated DoS",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-32686",
        "datePublished": "2026-05-07T14:04:47.222Z",
        "dateReserved": "2026-03-13T09:12:14.474Z",
        "dateUpdated": "2026-05-27T15:40:44.556Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32686 (GCVE-0-2026-32686)

    Vulnerability from cvelistv5 – Published: 2026-05-07 14:04 – Updated: 2026-05-27 15:40
    VLAI
    Title
    Unbounded exponent in decimal enables unauthenticated DoS
    Summary
    Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM. Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash. This issue affects decimal: from 0.1.0 before 3.0.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    ericmj decimal Affected: 0.1.0 , < 3.0.0 (semver)
        cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*
    Create a notification for this product.
    ericmj decimal Affected: bc11f4a2b6fb61fc1360a0ab4e79141bba918841 , < 6a523f3a73b8c9974540e21c7aa88f1258bb35ae (git)
        cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich Eric Meadows-Jönsson / Hex.pm José Valim Wojtek Mach Jonatan Männchen / EEF ruslandoga Matthew Johnston
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32686",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T22:42:13.343081Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T22:43:03.396Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "affected",
              "modules": [
                "\u0027Elixir.Decimal\u0027"
              ],
              "packageName": "decimal",
              "packageURL": "pkg:hex/decimal",
              "product": "decimal",
              "programFiles": [
                "lib/decimal.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Decimal\u0027:new/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:parse/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:cast/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:add/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:sub/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:div/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:to_string/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:to_integer/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:round/3"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:compare/3"
                }
              ],
              "repo": "https://github.com/ericmj/decimal",
              "vendor": "ericmj",
              "versions": [
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "affected",
              "modules": [
                "\u0027Elixir.Decimal\u0027"
              ],
              "packageName": "ericmj/decimal",
              "packageURL": "pkg:github/ericmj/decimal",
              "product": "decimal",
              "programFiles": [
                "lib/decimal.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Decimal\u0027:new/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:parse/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:cast/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:add/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:sub/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:div/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:to_string/2"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:to_integer/1"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:round/3"
                },
                {
                  "name": "\u0027Elixir.Decimal\u0027:compare/3"
                }
              ],
              "repo": "https://github.com/ericmj/decimal",
              "vendor": "ericmj",
              "versions": [
                {
                  "lessThan": "6a523f3a73b8c9974540e21c7aa88f1258bb35ae",
                  "status": "affected",
                  "version": "bc11f4a2b6fb61fc1360a0ab4e79141bba918841",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.0.0",
                      "versionStartIncluding": "0.1.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "AND"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Eric Meadows-J\u00f6nsson / Hex.pm"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Jos\u00e9 Valim"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Wojtek Mach"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "ruslandoga"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Matthew Johnston"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.\u003cp\u003eThe \u003ctt\u003edecimal\u003c/tt\u003e library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. \u003ctt\u003eDecimal.new(\"1e1000000000\")\u003c/tt\u003e) is accepted without error. Subsequent calls to arithmetic functions (\u003ctt\u003eDecimal.add/2\u003c/tt\u003e, \u003ctt\u003eDecimal.sub/2\u003c/tt\u003e, \u003ctt\u003eDecimal.div/2\u003c/tt\u003e), \u003ctt\u003eDecimal.to_string/2\u003c/tt\u003e with \u003ctt\u003e:normal\u003c/tt\u003e or \u003ctt\u003e:xsd\u003c/tt\u003e format, \u003ctt\u003eDecimal.to_integer/1\u003c/tt\u003e, \u003ctt\u003eDecimal.round/3\u003c/tt\u003e, or \u003ctt\u003eDecimal.compare/3\u003c/tt\u003e with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM.\u003c/p\u003e\u003cp\u003eAny application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash.\u003c/p\u003e\u003cp\u003eThis issue affects decimal: from 0.1.0 before 3.0.0.\u003c/p\u003e"
                }
              ],
              "value": "Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.\n\nThe decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new(\"1e1000000000\")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM.\n\nAny application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash.\n\nThis issue affects decimal: from 0.1.0 before 3.0.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:40:44.556Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-32686.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-32686"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/ericmj/decimal/commit/6a523f3a73b8c9974540e21c7aa88f1258bb35ae"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Unbounded exponent in decimal enables unauthenticated DoS",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-32686",
        "datePublished": "2026-05-07T14:04:47.222Z",
        "dateReserved": "2026-03-13T09:12:14.474Z",
        "dateUpdated": "2026-05-27T15:40:44.556Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }