Lucene search
K

1519 matches found

CVE
CVE
added 2 days ago8 views

CVE-2026-56669

Elysia (a TypeScript framework for request validation, type inference, OpenAPI docs, and client-server communication) contains a vulnerability (CVE-2026-56669) caused by using getAll in form data normalization for multipart/form-data endpoints prior to 1.4.29. This leads to quadratic growth in wo...

7.5CVSS6AI score0.00358EPSS
Exploits0References4
OSV
OSV
added 3 days ago6 views

ROOT-APP-NPM-CVE-2025-7783 CVE-2025-7783 in @rootio/form-data - Patched by Root

Root has patched CVE-2025-7783 in the @rootio/form-data package for Root:npm. Multiple fixed versions available...

5.4CVSS7.5AI score0.01735EPSS
Exploits1
OSV
OSV
added 3 days ago13 views

ROOT-APP-NPM-CVE-2026-12143 CVE-2026-12143 in @rootio/form-data - Patched by Root

Root has patched CVE-2026-12143 in the @rootio/form-data package for Root:npm. Multiple fixed versions available...

8.7CVSS5.2AI score0.00409EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/07/01 2:30 p.m.20 views

CVE-2026-54283

A flaw was found in Starlette where the request.form method silently ignores configured resource limits maxfields and maxpartsize when parsing application/x-www-form-urlencoded data. An unauthenticated attacker can exploit this by sending a urlencoded request body with an arbitrarily large number...

7.5CVSS5.6AI score0.00275EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/30 9:6 p.m.36 views

CVE-2026-58448 yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS0.00235EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/29 4:8 p.m.6 views

CVE-2026-12143

A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return CR, line feed LF, or double-quote " characters into the field argument of FormDataappend or the filename option. This allows th...

8.7CVSS5.8AI score0.00409EPSS
Exploits0References10
EUVD
EUVD
added 2026/06/27 5:33 a.m.8 views

EUVD-2026-39945

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS5.8AI score0.00281EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.10 views

PT-2026-51650

Name of the Vulnerable Software and Affected Versions ARForms versions prior to 7.1.4 Description Insufficient input sanitization and output escaping in the ARForms plugin allow unauthenticated attackers to perform Stored Cross-Site Scripting XSS. By exploiting the value parameter of the arf save...

7.2CVSS6AI score0.0019EPSS
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2026/06/23 12:0 a.m.18 views

Linux Distros Unpatched Vulnerability : CVE-2026-53537

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with...

5.3CVSS6AI score0.00177EPSS
Exploits0References3
NVD
NVD
added 2026/06/22 9:16 p.m.12 views

CVE-2026-55603

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS0.00243EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/22 8:7 p.m.26 views

CVE-2026-55603 http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS0.00243EPSS
Exploits1References1
CVE
CVE
added 2026/06/22 8:7 p.m.44 views

CVE-2026-55603

CVE-2026-55603 affects http-proxy-middleware (Node.js). In versions 3.0.4–3.0.7 and 4.1.1, fixRequestBody() rebuilds multipart/form-data by interpolating req.body into the wire format without neutralizing CR/LF. This can let an attacker inject a new multipart part (via unescaped CRLF in keys/valu...

7.5CVSS5.9AI score0.00243EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/22 8:7 p.m.5 views

CVE-2026-55603

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS5.9AI score0.00243EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/06/22 6:16 p.m.4 views

DEBIAN-CVE-2026-53537

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

5.3CVSS5.9AI score0.00177EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 4:57 p.m.33 views

CVE-2026-53537 Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

3.7CVSS0.00177EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 4:57 p.m.4 views

CVE-2026-53537

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

3.7CVSS5.9AI score0.00177EPSS
Exploits0References2Affected Software1
Debian CVE
Debian CVE
added 2026/06/22 4:57 p.m.6 views

CVE-2026-53537

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

5.3CVSS5.9AI score0.00177EPSS
Exploits0
Debian CVE
Debian CVE
added 2026/06/22 4:55 p.m.5 views

CVE-2026-53539

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...

7.5CVSS6.1AI score0.00263EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/06/22 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2026-54283

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form accepts maxfields and maxpartsize to bound resource consumption while...

7.5CVSS5.9AI score0.00275EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/06/18 1:6 p.m.20 views

NPM: http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`

NPM: http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in fixRequestBody vulnerability discovered by ? in WordPress Npm http-proxy-middleware versions = 3.0.4, 3.0.7...

7.5CVSS5.8AI score0.00243EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder