Version 26.4 introduces the all-new Dashboard application, giving you a powerful, fully customizable workspace to monitor what matters most. Arrange widgets freely on a flexible grid, visualize data as gauges, charts, tables, or traffic lights, and share your dashboards with your team. Everything updates in real time, so the information you see is always current. Built-in system widgets let you monitor server health at a glance, covering CPU and RAM usage, disk space, certificate expiration, HTTP endpoint checks, and more.

Version 25.4

• The older LONG system date format was changed. It was like the new FULL format. In the new FULL and the old LONG system date format, the weekday typically appears, depending on the locale. If you want to continue using a date format with a weekday, you must update your reports to use the new FULL system date format.
• The parser.docx plugin replaces the previous decoder.docx plugin.

Version 25.4

• The new Ad Hoc plugin is incompatible with some previous features:
  • Previous Ad Hoc layouts are no longer functional anymore and are replaced by Themes and Components.
  • Previous Data Views are converted to Data Templates in a one-time operation.
  • Previously saved Ad Hoc reports with the extension .adhocsave are migrated when they are opened. However, not all previous elements can be migrated.

Version 25.4

• The Drives RootID changes to Drive, which can be used, e.g. by the WebAPI to address resources in the Servers Drive.

Version 25.10

• Your old "incoming webhooks" need to be migrated to the new workflow-based "incoming webhooks". Create the new webhooks in Teams under "Workflows" and replace your current URLs with the new ones.

Version 25.4

• The parser.docx plugin replaces the previous decoder.docx plugin.

Version 25.4

• If you want to use this version with an application server, like Apache Tomcat 11, then it is required that it supports:
  • Java 17
  • Jakarta EE 10
  • Servlet Specifications 6.1
  • WebSocket 2.2
• If you have implemented custom plugins or are using the software as an embedded application, you will need to make some adjustments to your Java code as the servlet specification has been updated from version 4.0 to 6.1. As a result, the Java packages have been changed from javax to jakarta. This affects the jakarta.servlet, jakarta.websocket, jakarta.activation and jakarta.mail packages.

Version 26.4

• If you have a Let's Encrypt update task, you should set the timer trigger to a significantly shorter interval, e.g., daily instead of the previous 30 days. The Let's Encrypt runtime will soon be reduced to 45 days. For this reason, the remaining runtime of the certificate is now checked before a renewal is performed.

Version 26.4

• Factur-X / ZUGFeRD support updated to ZUGFeRD 2.4 / Factur-X 1.08 (CII D22B).
• The Java viewer for the client now requires the same Java version as the reporting server, currently Java 21. Java 8 is no longer supported on the client.
• API ReportComponent.setStructElem(String) added to manually tag PDF tables.
• The report export dialogue in Ad Hoc and in the PDF Viewer now supports the same options as the Java Viewer/Designer.
• New evaluation time AfterReadingRecords added to better optimize property formulas after fetching data and before starting rendering.
• Performance improvement for XLSX format with very large reports.
• The values of the Java API constants Engine.EXPORT_HTML and Engine.EXPORT_HTML_ZIP have been changed to "html" and "html.zip".
• The ToWords formula function can now write decimal places as numbers or words.
• Added weekly as step width for date axes.
• Added the Java interface com.inet.report.svg.SvgMetadataProvider as a plugin extension.

Fixed Bugs

• The HTML Viewer did not display a prompt dialog when reloading the browser via Ctrl-R/CMD-R.
• Fixes the layout of rotated glyph orientation together with the text interpretation HTML (basic) and Markdown.
• Fixes the rotation of the labels in the axes.
• SVG images in HTML export didn't use the scaling options.
• When exporting as a PDF, SVG images are not scaled correctly.

• Dynamic NULL values in formulas were not recognized as type NULL, which is why the generated SQL incorrectly returned ... = null instead of ... is null.
• In pie charts the Name Field was not used.
• The text interpretation HTML (advanced) can, under rare circumstances, write only partial data or data from the next records if a Keep Together flag of a section or area has switched the rendering to a new page.
• Several compliance and validation issues in the PDF/UA-2 export format, detected by the veraPDF tool, have been fixed.
• A StackOverflowError occurred in the XLS export format when there were more than 65,536 rows without interrupting groups in the detail area.
• Not all data were written to the FacturX XML file.

• PieCharts with 'For Each Record' didn't use the Name Field setting for the entries in the chart legend.
• A regression caused RecoveryConfiguration to throw an IllegalStateException when using -forceImportDatasource or -importDatasource, preventing any datasource from being imported.
• Performance improvement for XLSX export for large reports with user-defined formats for field values.
• A regression led to corrupt PostScript export via Web API.

Security Fixes

• Security Update for CVE-2026-42198
  • pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

Version 25.10

• The weblog datasource driver allows the selection of folders from the drive that contain *.log and *.csv files. These can be used in the Ad Hoc application, for example.
• Bubble and Scatter charts supports the Name Field setting now.
• For the PDF export format, the standard PDF file version has been increased from 1.4 to 1.7.
• Added support for Basic, Bearer and OAuth authorization for JSON, XML and Weblog data sources retrieved from HTTP(S) endpoints.
• The weblog datasource now attempts to detect units from the second line of CSV files when commonly known units are used. This enhancement supports compatibility with the CSV File Structure Reporting Format (ESS-DIVE) specification.
• Export format "Email" supports vertical alignment of the text now.

• The security check to block unknown data sources (when the Allow unknown Data Sources option is disabled) did not work for non-JDBC data sources.

Version 25.4

• Add support for the PDF standards PDF/A-2b, PDF/A-3b, PDF/A-4, PDF/UA-1 and PDF/UA-2 for PDF export.
• The expression CurrentFieldValue in the formula for the custom group name returns the start of the group interval for date values. Previously it was the value of the first line of the group.
• Supports the expression CurrentFieldValue in the custom group name formula in crosstab columns/rows.
• Add a full system date/time format. Previously there were only short, medium and long system formats.
• Add support for Can Grow for the elements of a crosstab.
• Add support for Vertical Alignment of text elements.
• Add support for Separate Label per Summarized Value for crosstab.

Version 26.4

• Integration in Drive to export and/or edit .adhoc files.
• Added an activation toggle and a "Default" provider option for Ad Hoc AI.
• Component settings can be copied and inserted into the report as a new component. Inserting as a different component type is possible, but may not transfer all settings.
• The export for the Designer (*.rpt file) can optionally embed the necessary data from the data source for support purposes.

Version 25.10

• The uploading of *.xlsx files is supported.
• Columns of type time are supported.
• Method getColumn() from class com.inet.report.adhoc.server.api.dataview.DataFilter.DataFilterEntry has been renamed to getColumnKey()
• The "Plotly Javascript" library that was used to render charts has been replaced by "Apache ECharts".
• Chart theme settings no longer support underline font style for the title.
• Public API's class DataField has been moved from package "com.inet.report.adhoc.server.api.renderer.chart.model" to "com.inet.report.adhoc.server.api.renderer".
• The size of the margins depends on the selected paper format, in order to ensure better display, especially for small formats.
• Added predefined dataviews returning the data for users and groups of the product.
• Added support for AI assistance.

Version 25.4

• This is the first version of the new Ad Hoc plugin with a new concept. It is easier to use and comes with many new features.
• The new concept is based up on components that can be added to an Ad Hoc report. Initially these are: Charts, Tables and Crosstabs.
• You can choose Themes and Layouts for the components. While Layouts include standards such as DIN and Web layouts, Themes can be created and customized in the Configuration application.
• When creating Themes, each component can be customized.
• Existing data sources can be used in a simplified user interface to select data from. Additionally, JSON, XML, and CSV are also supported and can be uploaded from the client or selected from the Drive.
• There is a new Ad Hoc section in the Configuration application for creating data templates, which are presets. You define, which data source should to use, which tables to join and which fields are part of this template. Then you can predefine, which fields should be set for a component, so that a user simply selects the data template and gets a component populated with data right out of the box.
• Ad Hoc is connected to Drive and integrated into Task Planner. In addition, Ad Hoc files can be saved and loaded from the local file system, if the client supports this feature (currently Chrome, Brave and Edge).

Version 25.4

Fixed Bugs

• Error in the user interface when saving an incorrectly configured data source.

Version 26.4

• Empty elements in the Factur-X-XML are no longer allowed under the new ZUGFeRD specification and are therefore no longer written.

Fixed Bugs

• Data was written multiple times for individual invoice line items.

Version 25.10

• Empty elements in the Factur-X-XML are no longer allowed under the new ZUGFeRD specification and are therefore no longer written.

• Not all data were written to the Factur-X-XML file.
• Document fields could only be set once in the interface. Now, document fields can also occur multiple times if the Factur-X specification allows this.
• Data were written multiple times for individual invoice line items.

Version 25.4

• Update of the Factur-X specification to Factur-X 1.0.0.7 / ZugFerd2.3.2

• Setting a property again, which was only allowed to exist once in the Factur-X XML, generated a ReportException. The property is now overwritten.

Version 25.10

Fixed Bugs

• In single-page mode, it was not always possible to scroll to the next page using the mouse wheel while previewing a report. This issue could be resolved by temporarily switching to design view and back again.

Version 25.4

• Cancelling the formula editor in the group dialog caused previously configured fields in the field boxes to be deleted.

Version 25.10

Fixed Bugs

• Fixed error when creating new groups

Version 26.4

• Added a "Max Context Length (tokens)" property to AI providers which will intelligently attempt to shorten AI requests in case they would exceed a token limit.
• Added activation toggles and a "Default" provider option for AI translations, with automatic migration of the legacy "use default provider" settings.
• Removed all MCP client integration from the AI plugin, including MCP configuration, validation and MCP-specific documentation.
• Added a GPT provider setting "Reasoning Level" to explicitly control reasoning_effort; automatic model-based defaults are no longer sent.

Fixed Bugs

• Disabling the CoWork AI bot now fully disables all AI bot responses, including when replying to an existing AI message.
• The link to the AI provider configuration dialog was incorrect in a couple of Task Planner components.
• Fixed icons for the AI Trigger and Job in the Task Planner.

Version 25.10

• Added a model dropdown list for the three primary providers (OpenAI, Gemini, and Claude) to the provider configuration in order to make it easier to choose your desired AI model.
• New AI Provider option: Azure OpenAI
• New OAuth Token option for hosting local LLMs via Ollama with authentication.
• Added support for streaming APIs, providing chunked output as it arrives from the AI Provider.
• Added support for function calling, providing the ability to provide the AI with tools it can call to fulfill its tasks.
• Added support for MCP clients either via npm or python. These can be set in the Configuration by system administrators and they can be provided to the AI when sending requests - caution is advised in the usage of MCP clients.
• As the automatic anonymization could not be guaranteed to work in all cases, it has been removed. If you require data privacy for your AI calls, we recommend using a local AI.
• New AI Provider Type "custom" which makes it possible to provide any OpenAI-compatible endpoint to connect to.

Version 25.4

• Added DeepSeek support as an AI Provider

Version 26.4

Fixed Bugs

• The parent category list when editing or creating a category was not being sorted correctly.

Version 26.4

• Calls can be transcribed automatically. Optionally, a summary can be provided directly as a message in the channel after the call has ended. The function can be configured in the settings and currently supports OpenAI and local speech recognition via Vosk.

Version 25.10

• Double-click in the call area to switch between full screen and normal display, if supported by the browser.

Version 26.4

• With this plugin, i-net CoWork supports the insertion of GIF animations and memes into the conversation of a channel. The GIF selection is provided by Klipy. An application must be configured in the Klipy Partner site, where the Klipy API must be activated and an API key generated.

Version 25.4

• With this plugin, i-net CoWork supports the insertion of GIF animations and memes into the conversation of a channel. The GIF selection is provided by Tenor. An application must be configured in the Google Cloud Console, where the Tenor API must be activated and an API key generated.

Version 26.4

• Dashboards with custom name, description, grouping, and visual appearance.
• Grid-based layout with drag-and-drop widget placement, moving, and resizing.
• Edit mode with toolbar for widget management including copy and paste.
• Visualizations: Value, Gauge, Progress, Traffic Light, Rating, Pie, Doughnut, Bar, Line Chart, and Table.
• Conditional highlighting with color rules based on value thresholds.
• Chart options: axis orientation, legend position, and saveable color presets.
• Real-time updates across all widgets.
• Sharing with users and groups at three permission levels (read, write, manage).
• Data owner mode to control whose data is displayed to viewers.
• Dashboard import and export as .dashboard files.
• Fullscreen mode for presentations and wall displays.
• System widgets: Active Users, CPU, RAM, Disk Space, Certificate Expiration, HTTP Check, Time, Traffic Light, Image, Memo, Thread CPU Load, Error Log.
• Extensible widget API for product-specific widgets.

Version 26.4

• In Diagnostics, you can now contact our support and include important log files and comparison results that may help resolve any issues you encounter.

Version 25.4

Security Fixes

• Security Update for CVE-2025-55163
  • Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

Version 26.4

• Connection names can be assigned independently of file/folder names from the drive root. An ID is now used as the start path for connections instead of the name.
• New connection names or drive root file/folder names must not be assigned in the format of an ID.

Fixed Bugs

• When viewing by title, the list is now sorted correctly if no title is available.

Version 25.10

• Files that were moved out of a user's home directory did not allow access to other users according to their permissions in the destination folder.

Version 25.4

• New Feature Share to share files and folders with users and groups or to share to external users by a link
• Added mount provider to mount local folders or UNC pathes to Drive
• The Drives RootID changes to Drive, which can be used, e.g. by the WebAPI to address resources in the Servers Drive.
• Support for different Zip-Archive formats and features.
• The preview image of folder now shows a fraction of the folder content as well.
• Changed UI copy action: the context menu action copies the external URL, the details path action copies the internal URL for e.g. the TaskPlanner
• Web API - Put + Multipart also creates folder structure.
• Message when home directories are switched on/off in the button configuration.
• New feature Open source for links and shares if you have access to the source.

• Performance improvements in the UI for folders with a very large number of files.
• Deleting a user will automatically remove all links to the home folder of this user.
• Preview will now show small images that are not supported by Java.
• Upload supported when running an Tomcat context.

Version 25.4

• There are new options to define a fallback email server in case the dafault mail server has connection errors.
  • The fallback server will be used in case an error email can not be sent. It will not be used for other purposes.

Version 26.4

Fixed Bugs

• Predefined fields can be duplicated without an error message being displayed.

Version 25.4

• Text filtering selectable options of custom fields is now case insensitive.

Version 25.4

Security Fixes

• Security Update for CVE-2025-30474
  • Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0.

Version 26.4

• When an AI provider is configured, the search in the help offers an in-depth search and summary of a topic.

Version 25.4

• Search allows you to skip forward and backward through the search results.
• Pressing CTRL+F activates the server search. Pressing STRG+F again starts the browser search. On macOS, use CMD+F.

Version 25.4

• Filter out fallback email settings for non-master users
• Do not store fallback email settings in the backup
• Allows administrative user accounts to add a master password if it is not set yet.

Version 26.4

• No additional license is required for the "CoWork Calls" and "CoWork Meeting Rooms" plugins. These features are now available free of charge in all i-net software products with a valid product license.
• The new CoWork Klipy plugin replaces the outdated CoWork Tenor plugin for providing GIF animations within i-net CoWork. The Tenor API will be discontinued in summer 2026.
• Markdown attachments now support a preview overlay with rendered content.

Version 25.4

• With the plugin 'CoWork GIFs, powered by Tenor' animated GIFs and memes can be inserted. This plugin can be installed via the store and the API key can be entered in the configuration.

Fixed Bugs

• The underscore preview produced an underscore for the first character only and bold for the remaining characters.

Version 25.4

Security Fixes

• Security Update for CVE-2025-54874
  • OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG 2.5.3 and earlier, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized.

Version 25.10

Fixed Bugs

• Signed S/MIME emails with content type application/pkcs7-mime; smime-type=signed-data; name="smime.p7m" are now read correctly.

Version 25.4

Security Fixes

• Security Update for CVE-2025-7962
  • In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.

Version 25.4

Fixed Bugs

• Backups can be selected from the drive, if installed and accessible to the user.

Version 26.4

Fixed Bugs

• Updated the data format to the latest MS Teams adaptive card APIs.

Version 25.10

• Added support for the new workflow-based "incoming webhooks".

Version 26.4

Fixed Bugs

• Reading color values from DOCX produced an error.
• Improved table width handling for exported DOCX files with mixed tblW/tcW definitions, including percent and fixed-width edge cases.
• Fixed multiple DOCX table width regressions where table and cell widths were interpreted differently than Microsoft Word in specific exported layouts.
• Added missing line breaks.
• Fixed several parser errors.

Version 25.10

• Reading color values from DOCX produced an error.
• Improved table width handling for exported DOCX files with mixed tblW/tcW definitions, including percent and fixed-width edge cases.
• Fixed multiple DOCX table width regressions where table and cell widths were interpreted differently than Microsoft Word in specific exported layouts.
• Added missing line breaks.
• Fixed several parser errors.

Version 25.10

Fixed Bugs

• Multiple LDAP servers can now be used as additional authentication sources, not just as fallbacks.

Version 25.10

• If support for passkeys is not available in the current context, setting the focus in the user login field does not result in an error.

Version 26.4

Fixed Bugs

• Improvements to the handling of incorrect EI commands in PDF files

Version 25.10

• PDF file was not displayed correctly due to incorrect scaling and clipping of the SMask
• The setting for the visibility of annotations is taken from the PDF file.
• Handling of the transfer function for SMask
• Improvement to the default handling of missing "Isolate" values in groups and masks
• Improvements to the handling of incorrect EI commands in PDF files

Version 26.4

• Improved rotation of documents as well as page sizing functions.
• When rotation the document, the scroll position is set to the top of the most recent page.

Version 25.10

• Document rotation has been added. Use the rotation icon in the toolbar to turn the entire document counterclockwise.

Version 25.4

• Integration of export formats for reports generated by i-net Clear Reports.

Fixed Bugs

• Do not load the report file more than once the first time it is called up.
• Printing a second PDF using the i-net HelpDesk Tickets application did not work.
• Password protected PDFs could not be opened in the i-net HelpDesk Tickets application.

Version 25.4

Security Fixes

• The algorithm for password hashing has been changed from PBKDF2WithHmacSHA1 to PBKDF2WithHmacSHA256.

Version 25.10

• The tinymce library has been replaced by another, newer library.

Version 26.4

• The fallback to the Batik SVG library has been removed. JSVG is now always used.

Version 26.4

• Text searches using the inequality operators <> or != now behave as expected for fields consisting of multiple words.
• The bundled Eclipse Temurin Java VM was updated to version 25.0.3.

Fixed Bugs

• Fixes a NullPointerException in Configuration.equals if the "config.description" property was set.

Version 25.10

• The bundled Eclipse Temurin Java VM was updated to version 21.0.11.

• Fixed incorrect clipping
• Performance optimization of alpha masks

Version 25.4

• Permission "Manage Users and Groups" is split into three permissions to be able to grant access to limited parts of user management.
• The bundled Eclipse Temurin Java VM was updated to version 21.0.8.

• Fixes a NullPointerException during PDF export with *.otf fonts that do not contain a Private Dictionary.

Security Fixes

• Security Update for CVE-2025-24970
  • Netty (4.1.91.Final–4.1.117.Final) has a vulnerability in SslHandler that can cause a native crash. Fixed in 4.1.118.Final. Workarounds: disable native SSLEngine or patch manually.
• Security Update for CVE-2025-48734
  • Apache Commons BeanUtils updated to version 1.11.0 because of Access Control vulnerability.
• Security Update for CVE-2025-58057
  • Netty (4.1.124.Final and below) has a vulnerability when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit.

Version 26.4

• Added a new "After Task" trigger that runs a task after a selected task has finished. The trigger can be configured to run always or only after successful completion of the task.
• Added Groups to the Task Planner for powerful organization of tasks. Any task can optionally be added to a group, and group visibilities can be turned on and off in the task list on the left. Groups can be folded and unfolded.
• Added a component search when adding a trigger, series, job, or action to a task. Simply start typing the name of a component to filter down the available components.

Fixed Bugs

• If there were validation warnings in a task component and the view was scrolled down, the warning messages were hidden above the visible content.

Version 25.10

• Importing tasks without a name using the WebAPI generates a custom name for these tasks.
• Saving a file with the "Save File" action will no longer save the file with a doubled file extension such as ".pdf.pdf" in case the extension was entered as the file name.
• Email addresses for the Email action now allow placeholders from jobs (such as "{Email}") without giving validation messages that the addresses is not valid.
• Tasks can now be created and marked as "system tasks" which means they are not owned by a specific user and can only be seen and edited by users with configuration and task planner administration privileges. When these tasks run, they run with full privileges.
• The Task Planner action "Email" now allows for rich text entry for the editing step.
• Enable Server Maintenance Mode to stop all internal operations before performing a backup or shutdown. This mode cannot be disabled within the application and requires restarting the server.

• When updating the server to a new version, some result actions would have their conditional execution setting be reset.

Version 25.4

• The Email Result Action allows for adding CC and BCC email addresses.

Version 26.4

Fixed Bugs

• No error occurs when saving a user after changing a field that has an icon (e.g. Location).

Version 25.10

• Groups could only be deleted if you had allowed the deletion of users in the configuration.

Version 25.4

• Users and groups are sorted in the usual linguistic way. (ABC comes before ABC-2)

Version 25.10

• Added .search for some Web API endpoints so that users can request a list of search tags that can be used with the search query, e.g. for Users and Groups.

Version 25.4

• Request parameters can be defined. They are sent as form data with POST and PUT requests, and as URL parameters in all other cases.
• Request parameters are read from the URL when the UI is opened, so that they are automatically set and sent to the server.

Version 26.4

• The Let's Encrypt update task now checks the remaining validity period of the certificate. There is now also a condition for the following action depending on whether the certificate has been created or still has sufficient remaining validity.

Version 25.4

• Allow SSL certificates to be uploaded to the server in the Configuration application
• Added a Web API to also upload and reload SSL certificates.
• Added a backup and restore job for SSL certificates to the maintenance application
  • Here, it does not matter which type of certificate is currently configured - all types with certificates available will be backed up and can be restored.

Fixed Bugs

• If LetsEncrypt was not available, two certificate sections were displayed, one for the upload and one for the fixed file.

Security Fixes

• Security Update for CVE-2025-1948
  • In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE.
  • The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
• Security Update for CVE-2025-8671
  • A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection.