GHSA-6JV3-5F52-599M python-multipart: Semicolon treated as querystring field separator enables parameter smuggling

Summary QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only & as a separator. This creates a parser differential: the same bytes...

python-multipart: Semicolon treated as querystring field separator enables parameter smuggling

Summary QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only & as a separator. This creates a parser differential: the same bytes...

PT-2026-49570

Summary QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only & as a separator. This creates a parser differential: the same bytes...

CVE-2026-49383

In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible...

31g-form-parser (=1.0.107), @0xmike/web-kit (>=0.0.6 <=0.1.1) +452 more potentially affected by CVE-2026-34077 via turbo-stream (>=1.2.1 <=2.4.1)

turbo-stream NPM version =1.2.1, =0.0.6, =4.0.0, =4.15.0, =0.0.3, =1.4.0, =0.0.1, =1.2.0, =1.2.0, =0.1.0, =1.0.10, =0.0.2, =1.0.0, =0.0.2, =0.0.13 and more Source cves: CVE-2026-34077 Source advisory: OSV:GHSA-RXV8-25V2-QMQ8...

JetBrains IntelliJ IDEA < 2026.1 Multiple Vulnerabilities

The version of JetBrains IntelliJ IDEA installed on the remote host is prior to 2026.1. It is, therefore, affected by multiple vulnerabilities: - In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin CVE-2026-49382 - In JetBrains...

CVE-2026-49383

In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible...

CVE-2026-49383

JetBrains IntelliJ IDEA prior to 2026.1 has a low-severity issue in the UI Designer form parser (xXE) that is locally exploitable with user interaction required. The CVSS 3.1 vector indicates Local access, Low complexity, no privileges, with Confidentiality impact Low and no impact on Integrity/A...

CVE-2026-49383

In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible...

EUVD-2026-33391

In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible...

CVE-2026-49383

In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible...

JetBrains IntelliJ IDEA 代码问题漏洞

JetBrains IntelliJ IDEA is an integrated development environment for the Java language developed by the Czech company JetBrains. Versions of JetBrains IntelliJ IDEA prior to 2026.1 contained code vulnerabilities due to XML external entity injections in the UI Designer form parser...

PT-2026-44963

Name of the Vulnerable Software and Affected Versions JetBrains IntelliJ IDEA versions prior to 2026.1 xXE Description An issue exists in the UI Designer form parser, which is the component responsible for processing the layout and design files of the user interface. Recommendations Update to...

MiracleLinux 8 : grub2-2.02-90.1.0.1.el8 (AXSA:2021-1565:02)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-1565:02 advisory. grub2: acpi command allows privileged user to load crafted ACPI tables when Secure Boot is enabled CVE-2020-14372 grub2: Use-after-free in rmmod...

31g-form-parser (>=1.0.1 <=1.0.126), @1024pix/storybook-ember (=7.1.1) +189 more potentially affected by CVE-2025-68429 via @storybook/core-common (>=7.0.0 <=7.6.20)

@storybook/core-common NPM version =7.0.0, =1.0.1, =0.0.18, =2.0.5, =1.1.1, =0.0.1, =0.0.4, =0.0.0-dev-main.202308160724, =0.0.0-dev-main.202307180716, =0.0.0-dev.main.0b9a477d, =24.10.0, =26.7.0-beta.3 and more Source cves: CVE-2025-68429 Source advisory: SNYK:JS-STORYBOOKCORECOMMON-14470053...

EUVD-2024-0214

Malicious code in bioql PyPI...

The vulnerability of the Pallets Werkzeug web application library, related to uncontrolled resource consumption, allows a hacker to cause a service failure.

The vulnerability of the Pallets Werkzeug web application library is related to an uncontrolled resource consumption in the werkzeug.formparser.MultiPartParser component. Exploiting this vulnerability could allow a malicious actor to cause service failures...

CVE-2024-52581

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to...

OESA-2025-1426 python-werkzeug security update

werkzeug German noun: "tool". Etymology: werk "work", zeug "stuff" Werkzeug is a comprehensive WSGI web application library. It began as a simple collection of various utilities for WSGI applications and has become one of the most advanced WSGI utility libraries. It includes: - An interactive...

CBL Mariner 2.0 Security Update: python-werkzeug (CVE-2024-49767)

The version of python-werkzeug installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-49767 advisory. - Werkzeug is a Web Server Gateway Interface web application library. Applications using...