CVE-2026-8159 multiparty vulnerable to ReDoS via filename parsing

[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any...

CVE-2026-8159

CVE-2026-8159 affects multiparty versions 4.2.3 and older, where the Content-Disposition filename parameter parser is vulnerable to denial-of-service via regex backtracking. A crafted multipart upload with a long header value can cause the regex engine to backtrack for seconds, blocking the event...

CVE-2026-8159

[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any...

CVE-2026-8159 multiparty vulnerable to ReDoS via filename parsing

[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any...

CVE-2026-8159

[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any...

CVE-2026-25789

Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting the modified firmware file to be uploaded. This would result in malitcious JavaScript execution in the context of the...

CVE-2026-25789

Technical details about CVE-2026-25789 are not publicly available in the provided documents. Monitor for updates from Siemens and CVE records.

CVE-2026-25789

Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting the modified firmware file to be uploaded. This would result in malitcious JavaScript execution in the context of the...

Exploit for CVE-2026-5718

CVE-2026-5718 Local Docker Lab Local-only vulnerable vs patch...

multiparty 安全漏洞

multiparty is a Node.js module developed by pillarjs for parsing HTTP multipart/form-data requests. Versions of multiparty 4.2.3 and earlier contained security vulnerabilities. These vulnerabilities stemmed from regular expression backtracking in the Content-Disposition filename parameter parser,...

PT-2026-39998

Name of the Vulnerable Software and Affected Versions multiparty versions 4.2.3 and earlier Description A denial of service occurs due to an uncaught exception during the parsing of multipart/form-data requests. When a request contains a Content-Disposition header with a filename parameter...

PT-2026-39986

Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting the modified firmware file to be uploaded. This would result in malitcious JavaScript execution in the context of the...

PT-2026-39996

Name of the Vulnerable Software and Affected Versions multiparty versions prior to 4.3.0 Description A denial of service issue exists due to regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload containing a long header value can cause...

PT-2026-40449

Name of the Vulnerable Software and Affected Versions Heym versions prior to 0.0.21 Description Authenticated users can write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. This occurs due to an unvalidated filename parameter in the uplo...

Security Updates for Microsoft Word Products (May 2026)

The Microsoft Word Products are missing a security update. They are, therefore, affected by multiple vulnerabilities: - Access of resource using incompatible type 'type confusion' in Microsoft Office Word allows an unauthorized attacker to execute code locally. CVE-2026-40364 - Use after free in...

CVE-2026-42564

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/filename. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside...

CVE-2026-42845 Grav: Anonymous Page Content Overwrite via Form File Upload filename Override

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload GHSA-w4rc-p66m-x6qq. Public form uploads now strip path components from the POST-supplied filename and hard-block page-content extensions md, yaml...

jotty·page 路径遍历漏洞

Jotty·Page is a self-hosted inventory and note management application developed by fccview. Versions of Jotty·Page prior to 1.22.0 contained a path traversal vulnerability. This vulnerability stems from unauthorized path traversal in the /api/appIcons/filename route, which could lead to file...

Unity Linux 20.1060e / 20.1070e Security Update: ruby (UTSA-2026-017539)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017539 advisory. In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. Tenable has...

OESA-2026-2276 python-python-multipart security update

A streaming multipart parser for Python Security Fixes: Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options UPLOADDIR and UPLOADKEEPFILENAME=True. An attacker can write uploaded...