Lucene search
+L

1543 matches found

redhatcve
redhatcve
added 3 days ago5 views

CVE-2026-53538

A flaw was found in Python-Multipart, a tool used for processing web form data. A remote attacker could exploit a vulnerability where the software incorrectly interprets certain characters as separators in web form data. This difference in interpretation compared to standard web practices allows ...

4.8CVSS6.1AI score0.00176EPSS
Exploits0References4
redhatcve
redhatcve
added 5 days ago8 views

CVE-2026-52747

A flaw was found in ModSecurity, an open-source web application firewall WAF. The multipart/form-data request body parser in libmodsecurity incorrectly handles embedded line breaks in non-file form-field values. This discrepancy between ModSecurity and backend applications, which preserve line...

8.6CVSS6.1AI score0.00476EPSS
Exploits1References6
osv
osv
added 6 days ago3 views

DEBIAN-CVE-2026-52747

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser in libmodsecurity silently removes embedded line breaks from non-file form-field values before exporting them to ARGS and...

8.6CVSS6AI score0.00476EPSS
Exploits1References1
nvd
nvd
added 6 days ago9 views

CVE-2026-52747

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser in libmodsecurity silently removes embedded line breaks from non-file form-field values before exporting them to ARGS and...

8.6CVSS0.00476EPSS
Exploits1References3
osv
osv
added 6 days ago2 views

UBUNTU-CVE-2026-52747

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser in libmodsecurity silently removes embedded line breaks from non-file form-field values before exporting them to ARGS and...

8.6CVSS6AI score0.00476EPSS
Exploits1References5
cve
cve
added 6 days ago19 views

CVE-2026-52747

Summary of CVE-2026-52747 ModSecurity (the open‑source WAF engine for Apache/IIS/Nginx) prior to version 3.0.16 contains a parsing bug in the multipart/form-data body processor. Specifically, the libmodsecurity multipart parser silently removes embedded line breaks from non-file form-field values...

8.6CVSS6AI score0.00476EPSS
Exploits1References3Affected Software1
osv
osv
added 6 days ago3 views

CVE-2026-52747 ModSecurity: Multipart form-data parser silently strips embedded line breaks from form-field values, enabling request-body inspection bypass

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser in libmodsecurity silently removes embedded line breaks from non-file form-field values before exporting them to ARGS and...

8.6CVSS6AI score0.00476EPSS
Exploits1References5
redhat
redhat
added 6 days ago7 views

form-data: form-data: Form field override via CRLF injection

A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return CR, line feed LF, or double-quote " characters into the field argument of FormDataappend or the filename option. This allows th...

8.7CVSS6.1AI score0.00409EPSS
Exploits0References11
nvd
nvd
added 2026/07/08 9:16 p.m.8 views

CVE-2026-56669

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to 1.4.29, Elysia uses getAll in form data normalization for multipart/form-data endpoints, causing the amount of work to grow quadratically with the number of...

7.5CVSS0.00358EPSS
Exploits0References4
osv
osv
added 2026/07/08 8:25 p.m.4 views

CVE-2026-56669 Elysia: Inefficient Algorithmic Complexity and Interpretation Conflict

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to 1.4.29, Elysia uses getAll in form data normalization for multipart/form-data endpoints, causing the amount of work to grow quadratically with the number of...

7.5CVSS6.1AI score0.00358EPSS
Exploits0References6
cve
cve
added 2026/07/08 8:25 p.m.14 views

CVE-2026-56669

Elysia (a TypeScript framework for request validation, type inference, OpenAPI docs, and client-server communication) contains a vulnerability (CVE-2026-56669) caused by using getAll in form data normalization for multipart/form-data endpoints prior to 1.4.29. This leads to quadratic growth in wo...

7.5CVSS6AI score0.00358EPSS
Exploits0References4
osv
osv
added 2026/07/07 12:57 p.m.8 views

ROOT-APP-NPM-CVE-2025-7783 CVE-2025-7783 in @rootio/form-data - Patched by Root

Root has patched CVE-2025-7783 in the @rootio/form-data package for Root:npm. Multiple fixed versions available...

5.4CVSS7.5AI score0.01735EPSS
Exploits1
osv
osv
added 2026/07/07 12:57 p.m.19 views

ROOT-APP-NPM-CVE-2026-12143 CVE-2026-12143 in @rootio/form-data - Patched by Root

Root has patched CVE-2026-12143 in the @rootio/form-data package for Root:npm. Multiple fixed versions available...

8.7CVSS5.2AI score0.00409EPSS
Exploits0
redhatcve
redhatcve
added 2026/07/01 2:30 p.m.25 views

CVE-2026-54283

A flaw was found in Starlette where the request.form method silently ignores configured resource limits maxfields and maxpartsize when parsing application/x-www-form-urlencoded data. An unauthenticated attacker can exploit this by sending a urlencoded request body with an arbitrarily large number...

7.5CVSS5.6AI score0.00275EPSS
Exploits0References4
cvelist
cvelist
added 2026/06/30 9:6 p.m.38 views

CVE-2026-58448 yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS0.00235EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/30 12:0 a.m.9 views

PT-2026-54440

Name of the Vulnerable Software and Affected Versions AdonisJS versions 10.1.3 through 10.1.4 AdonisJS versions 11.0.0-next.9 through 11.0.2 Description An incomplete fix in the @adonisjs/bodyparser module allows for prototype pollution via nested multipart field payloads. While direct payloads a...

8.6CVSS6.5AI score0.00148EPSS
Exploits0References10
redhatcve
redhatcve
added 2026/06/29 4:8 p.m.7 views

CVE-2026-12143

A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return CR, line feed LF, or double-quote " characters into the field argument of FormDataappend or the filename option. This allows th...

8.7CVSS5.8AI score0.00409EPSS
Exploits0References10
euvd
euvd
added 2026/06/27 5:33 a.m.8 views

EUVD-2026-39945

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS5.8AI score0.00281EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/24 12:0 a.m.14 views

PT-2026-51650

Name of the Vulnerable Software and Affected Versions ARForms versions prior to 7.1.4 Description Insufficient input sanitization and output escaping in the ARForms plugin allow unauthenticated attackers to perform Stored Cross-Site Scripting XSS. By exploiting the value parameter of the arf save...

7.2CVSS6AI score0.0019EPSS
Exploits0References7
osv
osv
added 2026/06/23 12:31 p.m.5 views

CVE-2026-54892 Plug: quadratic-time decoding of nested query/body parameters enables denial of service

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decodeeach/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many...

8.7CVSS6AI score0.00707EPSS
Exploits0References13
Rows per page
Query Builder