Lucene search
K

894 matches found

OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-297 BentoML SSRF Vulnerability in File Upload Processing

Description There's an SSRF in the file upload processing system that allows remote attackers to make arbitrary HTTP requests from the server without authentication. The vulnerability exists in the serialization/deserialization handlers for multipart form data and JSON requests, which automatical...

9.9CVSS6AI score0.11883EPSS
Exploits1References6
Cvelist
Cvelist
added 2026/06/23 4:26 p.m.41 views

CVE-2026-55446 Langflow: Unauthenticated DoS through multipart form boundary file upload

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an...

7.5CVSS0.00321EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2026/06/23 12:0 a.m.17 views

Linux Distros Unpatched Vulnerability : CVE-2026-53537

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with...

5.3CVSS6AI score0.00177EPSS
Exploits0References3
NVD
NVD
added 2026/06/22 9:16 p.m.11 views

CVE-2026-55603

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS0.00243EPSS
Exploits1References1
CVE
CVE
added 2026/06/22 8:7 p.m.43 views

CVE-2026-55603

CVE-2026-55603 affects http-proxy-middleware (Node.js). In versions 3.0.4–3.0.7 and 4.1.1, fixRequestBody() rebuilds multipart/form-data by interpolating req.body into the wire format without neutralizing CR/LF. This can let an attacker inject a new multipart part (via unescaped CRLF in keys/valu...

7.5CVSS5.9AI score0.00243EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/22 8:7 p.m.5 views

CVE-2026-55603

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS5.9AI score0.00243EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/06/22 8:7 p.m.25 views

CVE-2026-55603 http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS0.00243EPSS
Exploits1References1
Debian CVE
Debian CVE
added 2026/06/22 4:57 p.m.6 views

CVE-2026-53537

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

5.3CVSS5.9AI score0.00177EPSS
Exploits0
Cvelist
Cvelist
added 2026/06/22 4:57 p.m.32 views

CVE-2026-53537 Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

3.7CVSS0.00177EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.3 views

Astra Linux – Vulnerability in Golang-1.19

When parsing a multipart form—either explicitly using Request.ParseMultipartForm or implicitly using Request.FormValue, Request.PostFormValue, or Request.FormFile—limits on the total size of the parsed form were not applied to the memory consumed when reading a single form line. This allowed...

6.5CVSS6.8AI score0.01165EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/06/18 1:6 p.m.19 views

NPM: http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`

NPM: http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in fixRequestBody vulnerability discovered by ? in WordPress Npm http-proxy-middleware versions = 3.0.4, 3.0.7...

7.5CVSS5.8AI score0.00243EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:6 p.m.13 views

http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`

Summary fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData, which interpolates each req.body key and value directly in...

7.5CVSS5.4AI score0.00243EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.14 views

PT-2026-50735

Name of the Vulnerable Software and Affected Versions http-proxy-middleware versions 3.0.4 through 3.0.6 http-proxy-middleware versions prior to 4.1.1 Description An issue exists in the fixRequestBody helper function when the outgoing Content-Type is set to multipart/form-data. The function uses...

7.5CVSS5.8AI score0.00243EPSS
Exploits1References5
OSV
OSV
added 2026/06/17 8:36 a.m.2 views

SUSE-SU-2026:22151-1 Security update for python-starlette

This update for python-starlette fixes the following issues - CVE-2025-54121: denial-of-service when parsing a multi-part form with large files bsc1246855. - CVE-2025-62727: DoS via Range header merging bsc1252805. - CVE-2026-48710: Missing Host header validation poisons request.url.path, bypassi...

7.5CVSS6.1AI score0.01438EPSS
Exploits2References7
Snyk
Snyk
added 2026/06/15 8:20 p.m.11 views

Interpretation Conflict

Overview python-multipart is an A streaming multipart parser for Python Affected versions of this package are vulnerable to Interpretation Conflict through the parseoptionsheader function. An attacker can bypass field name or filename-based access controls, or manipulate file upload destinations ...

6.3CVSS5.4AI score0.00177EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 8:20 p.m.16 views

python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters

Summary parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=..., and the filename0/filename1 continuation form is decoded and surfaced...

5.3CVSS5.3AI score0.00177EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/15 1:56 p.m.12 views

CVE-2026-5079 multer vulnerable to Denial of Service via deeply nested field names

Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of...

7.5CVSS5.3AI score0.00278EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.22 views

PT-2026-49233

Name of the Vulnerable Software and Affected Versions multer versions 1.0.0 through 2.1.1 multer version 3.0.0-alpha.1 Description A Denial of Service issue exists due to the way the append-field dependency parses bracket notation in field names within multipart form data. Because there is no lim...

7.5CVSS5.3AI score0.00278EPSS
Exploits0References9
NVD
NVD
added 2026/06/12 7:16 p.m.27 views

CVE-2026-12143

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormDataappend and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return CR, line feed LF, or double-quote "...

8.7CVSS0.00409EPSS
Exploits0References18
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.19 views

PT-2026-48950

Name of the Vulnerable Software and Affected Versions form-data versions prior to 2.5.6 form-data versions prior to 3.0.5 form-data versions prior to 4.0.6 Description The field argument to FormDataappend and the filename option are concatenated verbatim into the Content-Disposition header withou...

8.7CVSS5.2AI score0.00409EPSS
Exploits0References18
Rows per page
Query Builder