124 matches found
CVE-2026-42854
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array VLA on the stack whose size is derived from an attacker-controlled HTTP head...
CVE-2026-42854 arduino-esp32: Stack buffer overflow in WebServer multipart boundary parsing leads to remote crash potential RCE
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array VLA on the stack whose size is derived from an attacker-controlled HTTP head...
Astra Linux - уязвимость в libmicrohttpd
GNU libmicrohttpd before version 0.9.76 allowed remote Denial of Service attacks due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHDcreatepostprocessor method. This allowed attackers to remotely send a malicious HTTP POST packet that included one or more '\0' byte...
Linux Distros Unpatched Vulnerability : CVE-2026-26961
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from...
GHSA-VGPV-F759-9WX3 Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
Summary Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermedia...
EUVD-2026-18368
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass...
CVE-2026-26961
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...
CVE-2026-26961 Rack: Multipart Boundary Parsing Ambiguity allowing WAF Bypass
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one...
CLSA-2026-1772617597 nodejs: Fix of 2 CVEs
CVE-2025-22150: fix issue where undici used Math.random to choose boundary for multipart/form-data request, now uses secure random number generator - CVE-2023-39333: fix maliciously crafted export names injection of JavaScript code - Run full Node.js tests in %check - Fix comment typo in spec...
USN-7976-1: Form-Data vulnerability
Ben Shonaldmann discovered that Form-data incorrectly generated boundary values for multipart form-encoded data, leading to predictable values. A remote attacker could possibly use this issue to make arbitrary requests to internal systems...
SUSE-SU-2025:3919-1 Security update for nodejs18
This update for nodejs18 fixes the following issues: - CVE-2025-7783: Switched away from Math.random in boundary values for multipart form-encoded data bsc1246818...
CLSA-2025-1760026053 libmicrohttpd: Fix of CVE-2023-27371
CVE-2023-27371: Fix improper parsing of multipart/form-data boundary in MHDcreatepostprocessor to prevent remote DoS vulnerability...
EUVD-2025-6815
Malicious code in bioql PyPI...
EUVD-2025-6952
Malicious code in bioql PyPI...
EUVD-2024-0024
Malicious code in bioql PyPI...
EUVD-2025-6930
Malicious code in bioql PyPI...
EUVD-2025-6868
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2023-27371
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GNU libmicrohttpd before 0.9.76 allows remote DoS Denial of Service due to improper parsing of a multipart/form-data boundary in the postprocessor.c...
Medium: libmicrohttpd
Issue Overview: GNU libmicrohttpd before 0.9.76 allows remote DoS Denial of Service due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHDcreatepostprocessor method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0'...
CVE-2024-7999
A vulnerability in open-webui/open-webui version 79778fa allows an attacker to cause a Denial of Service DoS by uploading a file with a malformed multipart boundary. By appending a large number of characters to the end of the multipart boundary, the server continuously processes each character,...