CVE-2026-26130

Description

Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.

How to fix CVE-2026-26130

To remediate CVE-2026-26130, upgrade the affected package to a fixed version below.

• Bitnami/aspnet-core—upgrade to 8.0.25 or later
• NuGet/Microsoft.AspNetCore.App.Runtime.linux-arm—upgrade to 8.0.25 or later
• —upgrade to 8.0.25 or later
• —upgrade to 8.0.25 or later
• —upgrade to 8.0.25 or later
• —upgrade to 8.0.25 or later
• —upgrade to 8.0.25 or later
• —upgrade to 8.0.25 or later
• —upgrade to 8.0.25 or later
• —upgrade to 8.0.25 or later
• —upgrade to 8.0.25 or later
• —upgrade to 8.0.25 or later
• —upgrade to 8.0.25 or later

Is CVE-2026-26130 being exploited?

Low — EPSS is 3.6%, meaning exploitation activity has not been observed at scale.

Affected packages (13)

• >= 8.0.0, < 8.0.25, >= 9.0.0, < 9.0.14, >= 10.0.0, < 10.0.4
• >= 8.0.0, < 8.0.25
• >= 8.0.0, < 8.0.25
• >= 8.0.0, < 8.0.25
• >= 8.0.0, < 8.0.25
• >= 8.0.0, < 8.0.25
• >= 8.0.0, < 8.0.25
• >= 8.0.0, < 8.0.25
• >= 8.0.0, < 8.0.25

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-26130
• PATCHgithub.com/dotnet/aspnetcore
• WEBgithub.com/dotnet/aspnetcore/security/advisories/GHSA-4vgm-c2wm-63mw
• WEBmsrc.microsoft.com/update-guide/vulnerability/CVE-2026-26130
• WEB