1528 matches found
EUVD-2020-31214
Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint,...
CVE-2020-37168
Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint,...
coreruleset 4.21.0 - Firewall Bypass
Exploit Title: coreruleset 4.21.0 - Firewall Bypass Date: 04/08/2026 Exploit Author: Daytrift Newgen Vendor Homepage: https://github.com/coreruleset Software Link: https://github.com/coreruleset/coreruleset Version: 4.22.0/3.3.8 Tested on: Fedora, MacOS CVE : CVE-2026-21876 import base64 import o...
Linux Distros Unpatched Vulnerability : CVE-2026-8161
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - [email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that...
Improper Handling of Exceptional Conditions
Overview org.webjars.npm:multiparty is a multipart/form-data parser which supports streaming Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions via the filename parameter parsing in multipart form-data requests. An attacker can cause the process to cra...
EUVD-2026-29413
The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access a...
CVE-2026-8162 multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing
[email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. T...
CVE-2026-7050 Forms Rb <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via 'form_id' Parameter
The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access a...
multiparty 安全漏洞
multiparty is a Node.js module developed by pillarjs for parsing HTTP multipart/form-data requests. Versions of multiparty 4.2.3 and earlier contain security vulnerabilities; these vulnerabilities stem from unhandled exceptions, which may lead to denial-of-service attacks...
multiparty 安全漏洞
multiparty is a Node.js module developed by pillarjs for parsing HTTP multipart/form-data requests. Versions of multiparty 4.2.3 and earlier contain security vulnerabilities; these vulnerabilities stem from unhandled exceptions, which may lead to denial-of-service attacks...
CVE-2026-46510
creationtimestamp| type| source ---|---|--- 2026-05-11 16:10:55+00:00| published-proof-of-concept| https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-wjq3-28wq 2026-05-29 15:00:35+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mmyshpa7fd2v...
GHSA-C567-44RC-M5HQ @rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)
Summary setPath in @rvf/set-get used by @rvf/core to flatten incoming form data into a nested object does not block the keys proto, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData and through...
Prototype Pollution
Overview @rvf/set-get is an Internal utilities and types for working with deeply nested data. This is primarily used internally by RVF and it's various packages. It isn't recommended for use by most people. Affected versions of this package are vulnerable to Prototype Pollution via the setPath...
@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)
Summary setPath in @rvf/set-get used by @rvf/core to flatten incoming form data into a nested object does not block the keys proto, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData and through...
PT-2026-39894
Name of the Vulnerable Software and Affected Versions RVF versions 6.0.0 through 6.0.3 RVF versions 7.0.0 through 7.0.1 Description The setPath function in @rvf/set-get used by @rvf/core to flatten incoming form data into a nested object fails to block the keys proto , constructor, or prototype...
PT-2026-39255
Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2 Description The NRF root SBI endpoint "POST /oauth2/token" contains a parser-level type-confusion bug. The handler in NFs/nrf/internal/sbi/api accesstoken.go uses reflection over...
Node.js Module axios < 1.15.1 CRLF Injection (CVE-2026-42037)
The version of the axios Node.js module installed on the remote host is prior to 1.15.1. It is, therefore, affected by the following vulnerability: - CRLF injection in multipart/form-data body via unsanitized blob.type in formDataToStream. CVE-2026-42037 Note that Nessus has not tested for this...
Allocation of Resources Without Limits or Throttling
Overview react-server-dom-parcel is a React Server Components bindings for DOM using Parcel. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling...
GHSA-445Q-VR5W-6Q77 Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
Summary The FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF \r\n sequences. An attacker who controls the .type property of a Blob/File-like object e.g., via a user-uploaded fil...
NPM: Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
NPM: Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream vulnerability discovered by ? in WordPress Npm axios versions = 1.0.0, 1.15.1...