{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6601", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T13:56:59.565Z", "datePublished": "2026-04-20T03:30:14.978Z", "dateUpdated": "2026-04-20T03:30:14.978Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T03:30:14.978Z"}, "title": "Lagom WHMCS Template Datatables resource consumption", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "Resource Consumption"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-404", "lang": "en", "description": "Denial of Service"}]}], "affected": [{"vendor": "Lagom", "product": "WHMCS Template", "versions": [{"version": "2.4.0", "status": "affected"}, {"version": "2.4.1", "status": "affected"}, {"version": "2.4.2", "status": "affected"}], "modules": ["Datatables"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Lagom WHMCS Template up to 2.4.2. This impacts an unknown function of the component Datatables. The manipulation leads to resource consumption. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T16:02:04.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "s4nnty (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358236", "name": "VDB-358236 | Lagom WHMCS Template Datatables resource consumption", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/358236/cti", "name": "VDB-358236 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791943", "name": "Submit #791943 | Lagom WHMCS Template \u2264 2.4.2 Denial of Service", "tags": ["third-party-advisory"]}, {"url": "https://github.com/devsamuelsantiago/lagom-whmcs-dos-poc", "tags": ["exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Lagom WHMCS Template up to 2.4.2. This impacts an unknown function of the component Datatables. The manipulation leads to resource consumption. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6601", "lastModified": "2026-04-20T04:16:56.763", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T04:16:56.763", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/devsamuelsantiago/lagom-whmcs-dos-poc"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/791943"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358236"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358236/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-404"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T05:50:37.632729+00:00", "value": {"mitigation_remediation": ["Upgrade Lagom WHMCS Template to any release newer than 2.4.2 as soon as one is available.", "If no newer release exists, consider removing or disabling the vulnerable datatables component.", "Implement application\u2011level rate limiting or request throttling to cap the resource usage per user, and enable or install a web application firewall to block anomalous datatables requests."], "summary": {"action": "Mitigate", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Any installation of Lagom WHMCS Template that is version 2.4.2 or older is affected. The vulnerability is tied to an unspecified datatables function; therefore all users who have not upgraded beyond 2.4.2 are at risk.", "description_and_impact": "The vulnerability occurs in the Lagom WHMCS Template datatables component for versions up to 2.4.2. An attacker can manipulate an unknown datatables function to cause excessive resource consumption, which the vendor reports as remote exploitation possible. The impact is a denial of service caused by elevated CPU or memory usage, mapped to CWE-400 (Uncontrolled Resource Consumption) and CWE-404 (Missing Resource Management).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV, though the exploit has been publicly disclosed. The attack vector is likely remote, whereby a crafted web request triggers the datatables component to consume excessive resources, leading to service degradation. Without an official patch or response from the vendor, the risk remains until a fix is applied or mitigated."}}}}, "created": "2026-04-20T06:00:08.099299+00:00", "updated": "2026-04-20T06:00:08.099321+00:00", "vendors": []}