CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 2026/06/08 3:20 p.m.•5 views

CVE-2026-49756 Multipart form-data header injection in Req via unescaped name/filename/content_type

CVE•added 2026/06/08 3:20 p.m.•18 views

CVE-2026-49756

CVE-2026-49756 describes a CRLF injection in Req.Utils.encode_form_part/2 of the Elixir Req library. User-controlled name, filename, or content_type are interpolated into Content-Disposition and Content-Type without escaping, allowing CRLFs to terminate header lines and add smuggled parts. This e...

OSV•added 2026/06/08 3:20 p.m.•3 views

EEF-CVE-2026-49756 Multipart form-data header injection in Req via unescaped name/filename/content_type

Summary Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata. Req.Utils.encodeformpart/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name,...

Positive Technologies•added 2026/06/08 12:0 a.m.•8 views

PT-2026-47333

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata. Req.Utils.encode form part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename,...

EUVD•added 2026/06/06 1:26 a.m.•8 views

Exploits0References5

EUVD-2026-34941

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This make...

7.2CVSS5.7AI score0.00292EPSS

Exploits0References10

Vulnrichment•added 2026/06/06 1:26 a.m.•5 views

CVE-2026-8901 Integration for Freshsales <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Form Submission Data

7.2CVSS5.7AI score0.00292EPSS

Exploits0References10

Positive Technologies•added 2026/06/06 12:0 a.m.•11 views

PT-2026-47123

Name of the Vulnerable Software and Affected Versions Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress versions prior to 1.0.16 Description Insufficient input sanitization and output escaping allow unauthenticated attackers to perform...

7.2CVSS5.5AI score0.00292EPSS

Exploits0References12

RedhatCVE•added 2026/06/05 7:18 p.m.•7 views

CVE-2026-45302

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with...

8.2CVSS5.4AI score0.00315EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:11 p.m.•5 views

CVE-2026-44483

RVF formerly Remix Validated Form provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get used by @rvf/core to flatten incoming form data into a nested object does not block the keys proto, constructor, or prototype when walking ...

8.2CVSS5.6AI score0.00271EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:11 p.m.•6 views

CVE-2026-44325

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NRF root SBI endpoint POST /oauth2/token contains a parser-level type-confusion bug family. The handler in NFs/nrf/internal/sbi/apiaccesstoken.go reflects over models.NrfAccessTokenAccessTokenReq,...

7.5CVSS5.5AI score0.00364EPSS

Exploits1References1

RedhatCVE•added 2026/06/05 7:10 p.m.•6 views

CVE-2026-8161

[email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as proto, constructor, or toString, the parser invokes .push on the inherited...

7.5CVSS5.5AI score0.00473EPSS

Exploits1References1

CNNVD•added 2026/06/04 12:0 a.m.•5 views

Zuz Music 跨站脚本漏洞

Zuz Music is an online music streaming platform system developed by Zuz Corporation. Version 2.1 of Zuz Music contains a cross-site scripting vulnerability. This vulnerability stems from the injection of malicious JavaScript through submitting specially crafted form data, potentially allowing...

6.1CVSS5.2AI score0.00211EPSS

CNNVD•added 2026/06/02 12:0 a.m.•4 views

Google Chrome 安全漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 149.0.7827.53 contained a security vulnerability caused by the leakage of Forms side-channel information. This vulnerability could allow remote attackers to exploit the vulnerability through specially craft...

9.1CVSS5.4AI score0.00264EPSS

NVD•added 2026/06/01 7:16 p.m.•7 views

CVE-2026-45302

8.2CVSS0.00315EPSS

Cvelist•added 2026/06/01 5:20 p.m.•27 views

CVE-2026-45302 Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names

8.2CVSS0.00315EPSS

ATTACKERKB•added 2026/06/01 5:20 p.m.•7 views

CVE-2026-45302

8.2CVSS5.7AI score0.00315EPSS

Exploits0References4Affected Software1

Vulnrichment•added 2026/06/01 5:20 p.m.•6 views

CVE-2026-45302 Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names

8.2CVSS5.7AI score0.00315EPSS

EUVD•added 2026/06/01 5:20 p.m.•10 views

EUVD-2026-33723

8.2CVSS5.8AI score0.00315EPSS

CNNVD•added 2026/06/01 12:0 a.m.•6 views

parse-nested-form-data 安全漏洞

parse-nested-form-data is a form data parsing tool developed by Christian Schurr. Versions of parse-nested-form-data prior to 1.0.1 contained security vulnerabilities. These vulnerabilities stemmed from the use of parseFormData, which did not filter or preserve attribute keys when parsing FormDat...

8.2CVSS5.3AI score0.00315EPSS