CVE-2026-54283

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form accepts maxfields and maxpartsize to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An...

DEBIAN-CVE-2026-53539

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...

CVE-2026-53539

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...

CVE-2026-54283

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form accepts maxfields and maxpartsize to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An...

Astra Linux - Vulnerability in Golang-1.23

The net/url package does not limit the number of query parameters in a query. Although the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing man...

Astra Linux - Vulnerability in Golang-1.19

Parsing multipart forms can consume large amounts of CPU and memory when processing form inputs containing a very large number of parts. This occurs due to several reasons: 1. The mime/multipart.Reader.ReadForm method limits the total memory that a parsed multipart form can consume. ReadForm may...

Astra Linux - Vulnerability in Golang-1.19

A denial of service may occur due to excessive resource consumption in the net/http and mime/multipart libraries. Parsing multipart forms using mime/multipart.Reader.ReadForm can consume a largely unlimited amount of memory and disk space. This issue also affects form parsing in the net/http...

GHSA-82W8-QH3P-5JFQ Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS

Summary request.form accepts maxfields and maxpartsize to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an...

python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service

Summary When parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the...

GHSA-5RVQ-CXJ2-64VF python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service

Summary When parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the...

PT-2026-49597

Name of the Vulnerable Software and Affected Versions Starlette affected versions not specified FastAPI affected versions not specified Description A Denial of Service DoS issue exists in the request.form function when processing application/x-www-form-urlencoded requests. While limits for max...

py-xss-scanner

Python Reflected XSS Scanner A command-l...

CLSA-2026-1772465492 podman: Fix of 4 CVEs

rebuild with newer golang version 1.25.7-1.el96.tuxcare.els1 to fix the following CVEs - CVE-2025-68121: fix TLS session resumption bypass by preventing shared auto-rotated ticket keys in Config and validating full certificate chain expiry - CVE-2025-61726: limit parsed URL query parameters to...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

EUVD-2026-18186

wisp has Allocation of Resources Without Limits or Throttling...

CVE-2026-32145

Allocation of Resources Without Limits or Throttling vulnerability in gleam-wisp wisp allows a denial of service via multipart form body parsing. The multipartbody function bypasses configured maxbodysize and maxfilessize limits. When a multipart boundary is not present in a chunk, the parser tak...

Wisp 安全漏洞

Wisp is a practical Gleam web framework developed under open source, designed for rapid development and easy maintenance. Versions of Wisp from 0.2.0 to 2.2.2 contained security vulnerabilities. These vulnerabilities stemmed from a flaw in multi-part form parsing that bypassed resource limits,...

TencentOS Server 3: osbuild-composer (TSSA-2026:0204)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0204 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

GHSA-WHHV-GG5V-864R Qwik City has array method pollution in FormData processing allows type confusion and DoS

Summary Qwik City improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays...

Important: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.24 security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...