[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"public-cve-CVE-2026-5497":3,"news-by-cve-CVE-2026-5497-10":47},{"in_kev":4,"has_workaround":4,"reference_count":5,"source_identifier":6,"nvd_cvss_severity":7,"attack_technique_count":8,"attack_techniques":9,"references_preview":17,"sources":23,"cvss_score":25,"cvss_severity":7,"kev_ransomware_use":4,"exploit_count":26,"attack_tactics":27,"remediation_summary":28,"nvd_cvss_score":25,"has_exploit":4,"date_updated":29,"cvss_vector":30,"affected_product_count":8,"affected_products_preview":31,"has_ai_summary":4,"date_published":35,"assigner_org":36,"assigner_short_name":36,"nvd_cvss_vector":30,"tags":37,"has_attack_graph":38,"id":39,"nuclei_template_count":26,"cvss_version":40,"cvss_source":24,"has_solution":4,"has_nuclei_templates":4,"description":41,"weaknesses":42,"state":45,"title":46},false,2,"c09c270a-b464-47c1-9133-acb35b22c19a","HIGH",1,[10],{"url":11,"confidence":12,"technique_id":13,"technique_name":14,"tactic":15,"tactic_name":16},"https://attack.mitre.org/techniques/T1499/","high","T1499","Endpoint Denial of Service","impact","Impact",[18,21],{"url":19,"source":20},"https://huntr.com/bounties/7bd92629-b396-4449-8f88-6c0092530eb4","cvelist",{"url":22,"source":20},"https://github.com/vllm-project/vllm/commit/58ee61422169ce17e08248f8efa1e9df434fe395",[20,24],"nvd",7.5,0,[16],{"has_patch":4,"has_workaround":4},"2026-06-11T10:16:21Z","CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",[32],{"vendor":33,"product":34},"vllm-project","vllm-project/vllm","2026-06-11T08:31:18Z","",[],true,"CVE-2026-5497","3.0","vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` method. When processing `video/jpeg` data URLs, the method splits the base64 data string on commas to extract individual JPEG frames without enforcing a frame count limit. An attacker can exploit this by crafting a single API request containing thousands of comma-separated base64-encoded JPEG frames in a data URL, causing the server to decode all frames into memory and crash due to excessive memory consumption. This vulnerability is reachable via the OpenAI-compatible chat completions API and does not require authentication.",[43],{"cwe_id":44,"name":36},"CWE-400","PUBLISHED","Unbounded Frame Count in video/jpeg Base64 Data URL Processing Leads to OOM DoS in vllm-project/vllm",{"cve_id":39,"items":48,"total":26},[]]