EUVD-2026-33723

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: undertow (UTSA-2026-021493)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021493 advisory. A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParseStreamSourceChannel method to...

CVE-2026-42561 Python-Multipart: Denial of Service via unbounded multipart part headers

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individu...

CVE-2026-32701

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be writte...

CVE-2026-33241

Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations formdata method and Extractible macro do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory OOM conditions by sending extremely...

salvo 安全漏洞

Salvo is a web framework developed by Salvo OpenSource. Versions of Salvo prior to 0.89.3 contained security vulnerabilities. These vulnerabilities stemmed from the lack of enforcement of payload size limits in the form data parsing mechanism, which could lead to memory exhaustion and service...

CVE-2026-33241 Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing

Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations formdata method and Extractible macro do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory OOM conditions by sending extremely...

CVE-2026-33241 Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing

Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations formdata method and Extractible macro do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory OOM conditions by sending extremely...

CVE-2026-33241 Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing

Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations formdata method and Extractible macro do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory OOM conditions by sending extremely...

CVE-2026-33241

Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations formdata method and Extractible macro do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory OOM conditions by sending extremely...

CVE-2026-33241

CVE-2026-33241 entry is reserved, but connected advisories identify a concrete vulnerability in Salvo: the form data parsing implementations (form_data() and the Extractible macro) do not enforce payload size limits before reading request bodies into memory, enabling Out-of-Memory DoS. Three atta...

Qwik City has array method pollution in FormData processing allows type confusion and DoS

Summary Qwik City improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays...

CVE-2026-32701

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be writte...

CVE-2026-32701

Qwik (JavaScript framework) contains a vulnerability in FormData parsing prior to version 1.19.2. When processing application/x-www-form-urlencoded or multipart/form-data, dotted field names (e.g., items.0, items.1) are converted into nested structures. If a path is interpreted as an array, attac...

CVE-2026-32701 Qwik has array method pollution in FormData processing, allowing type confusion and DoS

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be writte...

CVE-2026-32701

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be writte...

PT-2026-26593

Summary Qwik City improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays...

GHSA-PP9R-XG4C-8J4X Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing

Summary Salvo's form data parsing implementations formdata method and Extractible macro do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory OOM conditions by sending extremely large payloads, leading to service crashes and...

Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing

Summary Salvo's form data parsing implementations formdata method and Extractible macro do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory OOM conditions by sending extremely large payloads, leading to service crashes and...

undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParseStreamSourceChannel method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows...