Lucene search
K

118 matches found

RedhatCVE
RedhatCVE
added 3 days ago6 views

CVE-2026-12143

A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return CR, line feed LF, or double-quote " characters into the field argument of FormDataappend or the filename option. This allows th...

8.7CVSS5.8AI score0.00409EPSS
Exploits0References10
EUVD
EUVD
added 2026/06/17 6:12 p.m.41 views

EUVD-2026-36726

Multer vulnerable to Denial of Service via deeply nested field names...

7.5CVSS5.2AI score0.00278EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/15 5:26 p.m.8 views

EUVD-2026-36524

form-data: CRLF injection in form-data via unescaped multipart field names and filenames...

8.7CVSS5.2AI score0.00409EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/06/15 5:26 p.m.215 views

form-data: CRLF injection in form-data via unescaped multipart field names and filenames

Summary form-data builds multipart/form-data request bodies. Through v4.0.5, the field name passed to FormDataappend and the filename option are concatenated directly into the Content-Disposition header with no escaping of CR \r, LF \n, or ". An application that uses untrusted input as a field na...

8.7CVSS5.5AI score0.00409EPSS
Exploits0References8Affected Software1
Cvelist
Cvelist
added 2026/06/15 1:56 p.m.37 views

CVE-2026-5079 multer vulnerable to Denial of Service via deeply nested field names

Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of...

7.5CVSS0.00278EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.20 views

PT-2026-49233

Name of the Vulnerable Software and Affected Versions multer versions 1.0.0 through 2.1.1 multer version 3.0.0-alpha.1 Description A Denial of Service issue exists due to the way the append-field dependency parses bracket notation in field names within multipart form data. Because there is no lim...

7.5CVSS5.3AI score0.00278EPSS
Exploits0References9
NVD
NVD
added 2026/06/12 7:16 p.m.23 views

CVE-2026-12143

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormDataappend and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return CR, line feed LF, or double-quote "...

8.7CVSS0.00409EPSS
Exploits0References15
CVE
CVE
added 2026/06/12 6:1 p.m.215 views

CVE-2026-12143

The CVE-2026-12143 entry concerns the form-data library where, in versions up to 4.0.5, the field argument to FormData#append and the filename option are concatenated into the Content-Disposition header without escaping CR, LF, or "." This enables CRLF injection when attacker-controlled data is u...

8.7CVSS5.3AI score0.00409EPSS
Exploits0References15
Cvelist
Cvelist
added 2026/06/12 6:1 p.m.28 views

CVE-2026-12143 form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormDataappend and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return CR, line feed LF, or double-quote "...

8.7CVSS0.00409EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/06/12 6:1 p.m.147 views

CVE-2026-12143 form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormDataappend and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return CR, line feed LF, or double-quote "...

8.7CVSS5.4AI score0.00409EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.9 views

CVE-2026-44294

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated functio...

5.3CVSS5.4AI score0.00431EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/01 5:20 p.m.8 views

CVE-2026-45302

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with...

8.2CVSS5.7AI score0.00315EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.11 views

PT-2026-41863

The additional tables configuration of the page and tt content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index...

5.9CVSS5.9AI score0.00318EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.13 views

PT-2026-41772

Name of the Vulnerable Software and Affected Versions parse-nested-form-data versions prior to 1.0.1 Description The parseFormData function processes bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. An attacker can use a FormData field na...

8.2CVSS5.8AI score0.00315EPSS
Exploits0References6
NVD
NVD
added 2026/05/13 4:16 p.m.12 views

CVE-2026-44294

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated functio...

5.3CVSS0.00431EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/13 2:44 p.m.8 views

CVE-2026-44294 protobufjs: Denial of service from crafted field names in generated code

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated functio...

5.3CVSS5.8AI score0.00431EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/13 2:44 p.m.31 views

CVE-2026-44294 protobufjs: Denial of service from crafted field names in generated code

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated functio...

5.3CVSS0.00431EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/13 2:44 p.m.7 views

CVE-2026-44294

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated functio...

5.3CVSS5.8AI score0.00431EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/13 2:44 p.m.19 views

CVE-2026-44294

CVE-2026-44294 affects protobufjs. Prior to versions 7.5.6 and 8.0.2, generated JavaScript property accessors from schema-controlled field and oneof names did not escape certain control characters in field names, which could cause generated encode, decode, verify, or conversion functions to fail ...

5.3CVSS5.8AI score0.00431EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.10 views

protobuf.js 输入验证错误漏洞

protobuf.js is a pure JavaScript implementation of the protobuf.js project, open source. It provides a protocol buffer implementation that supports Node.js and browsers with TypeScript. It’s easy to use, extremely fast, and can be used out of the box through.proto files. Versions of protobuf.js...

5.3CVSS5.9AI score0.00431EPSS
Exploits0References1
Rows per page
Query Builder