@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters

Impact The two parsers resolved duplicates inconsistently and silently: - Content.disposition retained the last occurrence of each parameter. - Content.type retained the first occurrence of charset and boundary. Either behavior creates a parameter-smuggling primitive when another component in the...

Prototype Pollution

Overview parse-nested-form-data is an A tiny node module for parsing FormData by name into objects and arrays Affected versions of this package are vulnerable to Prototype Pollution via the parseFormData process. An attacker can modify the prototype of all plain objects in the running process by...

Kedro: Path Traversal in versioned dataset loading via unsanitized version string

Impact The getversionedpath method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned...

CVE-2026-31865

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...

PT-2026-25974

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto . This issue is patched in 1.4.27. As a workaround, use t.Cookie validati...

Apollo Federation vulnerable to prototype pollution via incomplete key sanitization

Impact A vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target...

CVE-2025-54368 uv is vulnerable to ZIP payload obfuscation through parsing differentials

uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. An attacker could contrive a ZIP archive that would extract with...

github.com/jaredallard/archives Has Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact A malicious user could feed a specially crafted archive to this library causing RCE, modification of files or other bad things in the context of whatever user is running this library as, through the program that imports it. The severity highly depends on the user's permissions and...

PT-2025-4626 · Unknown · Digitimber Cpanel Integration

Name of the Vulnerable Software and Affected Versions: DigiTimber cPanel Integration versions 1.4.6 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on the web...

PT-2024-31422 · Ibm · Ibm Cognos Analytics

Name of the Vulnerable Software and Affected Versions: IBM Cognos Analytics versions 11.2.0 through 11.2.4 IBM Cognos Analytics versions 12.0.0 through 12.0.3 Description: The issue could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to...

PT-2023-30960 · Unknown · Mkrapel Regiones Y Ciudades De Chile Para Wc

Name of the Vulnerable Software and Affected Versions: MkRapel Regiones y Ciudades de Chile para WC versions through 4.3.0 Description: A Cross-Site Request Forgery CSRF issue affects the software, allowing unauthorized actions to be performed on behalf of a user without their knowledge or consen...

PT-2023-31067 · Unknown · Kulwant Nagi Affiliate Booster

Name of the Vulnerable Software and Affected Versions: Kulwant Nagi Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates versions 3.0.5 and earlier Description: A Cross-Site Request Forgery CSRF issue affects the software, allowing unauthorized actions to be performed on behalf ...

PT-2023-29838 · Userback · Userback

Name of the Vulnerable Software and Affected Versions: Userback plugin versions 1.0.13 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability. This means an attacker can trick a user into performing unintended actions on a web application that the user is...

PT-2023-24888 · Grav · Grav

Name of the Vulnerable Software and Affected Versions: Grav versions 1.7.42 and prior Description: The issue concerns a self-reflected cross-site scripting vulnerability in the "/forgot password" page. This can be exploited by injecting a script into the email parameter of the request, potentiall...

PT-2021-21753 · Google · Tensorflow

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.6.0 TensorFlow version 2.5.1 TensorFlow version 2.4.3 TensorFlow version 2.3.4 Description: The issue arises when sending an invalid argument for row partition types of the tf.raw ops.RaggedTensorToTensor API,...