929 matches found
CVE-2026-22102 Arbitrary file overwrite through certificate update functionality
A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations. The endpoint accepts the filename parameter in the Content-Disposition header without verification. This can be used to cause a denial of service by overwriting system files, or...
CVE-2026-22102
CVE-2026-22102 describes an issue where a POST request to a specific webserver endpoint can write to arbitrary file locations. The filename parameter is taken from the Content-Disposition header without verification, enabling: Denial of service by overwriting system files Potential remote code ex...
EUVD-2026-34012
Tesla vulnerable to multipart part smuggling via unescaped content-disposition values...
GHSA-3VCG-PV95-PQ54 SFTPGo has stored XSS via inline parameter on public shares and user file download
Summary The inline query parameter on the browsable-share file download and on the authenticated user file download suppressed Content-Disposition: attachment, so an HTML file stored in a share or home directory could be served as text/html and execute in SFTPGo's web origin stored XSS. Impact Lo...
PT-2026-55447
Name of the Vulnerable Software and Affected Versions SFTPGo versions prior to 2.7.3 Description A stored Cross-Site Scripting XSS issue exists where the inline query parameter on the browsable-share file download and authenticated user file download endpoints suppresses the Content-Disposition:...
EUVD-2026-40945
In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX...
CVE-2026-13323
Vulnerability CVE-2026-13323 affects Open VSX Registry before 1.0.2. The /vscode/unpkg/ endpoint serves user-supplied HTML without CSP or Content-Disposition headers, enabling a publisher to upload a crafted VSIX and lure authenticated users to visit the URL. This inline rendering in the open-vsx...
CVE-2026-13323
In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX...
CVE-2026-53537
A flaw was found in Python-Multipart. This vulnerability allows a remote attacker to bypass security controls by exploiting a difference in how Content-Disposition and Content-Type headers are parsed. Specifically, the parseoptionsheader function incorrectly applies RFC 2231/5987 decoding, which ...
Astra Linux – Vulnerability in libsoup3
A flaw was discovered in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF Carriage Return Line Feed sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary...
CVE-2026-53929
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NCSECUREATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stor...
CVE-2026-53929
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NCSECUREATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stor...
CVE-2026-53929
NocoDB (pre-2026.05.1) is affected by a Stored Cross-Site Scripting vulnerability when NC_SECURE_ATTACHMENTS=true. An authenticated uploader could deliver .html or .svg attachments that the browser renders inline from the NocoDB origin due to a header-key casing mismatch (ResponseContentDispositi...
CVE-2026-53537
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...
CVE-2026-53537 Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...
CVE-2026-53537
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...
CVE-2026-53537 Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...
CVE-2026-53537
Python-Multipart: Prior to 0.0.30, parse_options_header could decode RFC 2231/5987 extended parameters (filename*=, name*=, etc.) via email.message, leading to the filename/field name being surfaced in ways that RFC 7578 forbids. This allowed parameter smuggling where an attacker could bypass ups...
GHSA-2JQ4-Q6VV-4CP3 Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE
Summary When the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path e.g. /etc/cron.d/evil or ../ traversal escaped the downloads directory, giving an...
PT-2026-50475
Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description When NC SECURE ATTACHMENTS is set to true, an authenticated uploader can upload .html or .svg attachments that the browser renders inline from the NocoDB origin instead of forcing a download. This...