CVE-2026-45302 Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with...

CVE-2026-45302

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with...

Denial Of Service (DoS)

Tornado is vulnerable to a Denial Of Service DoS. The vulnerability is due to Tornado’s multipart/form-data parser continuing to process data after encountering errors, allows an attacker to generate excessive synchronous logging...

PT-2025-21576

Name of the Vulnerable Software and Affected Versions: Tornado versions prior to 6.5.0 Description: The issue allows remote attackers to generate a high volume of logs, constituting a denial-of-service DoS attack, by exploiting Tornado's multipart/form-data parser when it encounters certain error...

GHSA-GJCC-JVGW-WVWJ Litestar allows unbounded resource consumption (DoS vulnerability)

Summary Litestar offers multiple methods to return a parsed representation of the request body, as well as extractors that rely on those parsers to map request content to structured data types. Multiple of those parsers do not have size limits when reading the request body into memory, which allo...

GHSA-QV64-W99C-QCR9 Jenkins temporary uploaded file created with insecure permissions

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API MultipartFormDataParser create temporary files in the system temporary directory with the default permissions for newly created files. If these permissions are overly...

Jenkins: Denial of Service attack

A flaw was found in Jenkins. Affected versions of Jenkins use the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service...