Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })

Summary When using parseBody dot: true in HonoRequest, specially crafted form field names such as proto.x could create objects containing a proto property. If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the...

PT-2026-24805

Name of the Vulnerable Software and Affected Versions Tornado versions prior to 6.5.5 Description Tornado is a Python web framework and asynchronous networking library. In versions prior to 6.5.5, the only limit on the number of parts in multipart/form-data requests is the max body size setting,...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-tornado (UTSA-2026-005918)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005918 advisory. Tornado is a Python web framework and asynchronous networking library. When Tornado's multipart/form- data parser encounters certain errors, it logs a warning but...

EUVD-2018-21617

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can upload PHP files through the userfile1 parameter with action=upload, which are stored in the files...

RHEL 9 : Red Hat JBoss Enterprise Application Platform 8.0.12 (RHSA-2026:3891)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:3891 advisory. Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime. This release o...

GHSA-V66J-6WWF-JC57 Mercurius: Incorrect Content-Type parsing can lead to CSRF attack

Summary A Cross-Site Request Forgery CSRF vulnerability was identified in Mercurius versions 16. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or...

undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParseStreamSourceChannel method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows...

undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParseStreamSourceChannel method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows...

Important: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.0.12 security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParseStreamSourceChannel method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows...

PT-2026-22952

Name of the Vulnerable Software and Affected Versions Multer versions prior to 2.1.1 Description A flaw exists in Multer, a node.js middleware used for processing multipart/form-data. This issue can be exploited to cause a Denial of Service DoS by submitting specially crafted requests, which may...

CVE-2026-2359

A flaw was found in Multer, a Node.js middleware for handling multipart/form-data. A remote attacker can exploit this vulnerability by intentionally dropping a connection during a file upload. This can lead to a Denial of Service DoS due to resource exhaustion on the affected system...

OESA-2026-1431 undertow security update

Java web server using non-blocking IO Security Fixes: A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParseStreamSourceChannel method to parse large form data encoding with application/x-www-form-urlencoded, the...

CVE-2026-2359 Multer vulnerable to Denial of Service via resource exhaustion

Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service DoS by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to...

Security Bulletin: MongoDB Enterprised Advanced affected by: Use of Insufficiently Random Values vulnerability (CVE-2025-7783)

Summary There is 1 vulnerability in form-data-2.3.3.tgz used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-7783. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data allows HTTP...

Security Bulletin: IBM Automation Decision Services for Jan 2026- Multiple CVEs addressed

Summary IBM Automation Decision Services is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-7783...

Memory exhaustion in SvelteKit remote form deserialization (experimental only)

Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service. Only applications using both experimental.remoteFunctions a...

CVE-2026-1860

The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the getitemspermissionscheck permission callback on the /kaliforms/v1/forms/id REST API endpoint only checking for the editposts capability without...

WordPress LiquidPoll plugin <= 3.3.78 - Unauthenticated Stored Cross-Site Scripting via form_data Parameter vulnerability

Unauthenticated Stored Cross-Site Scripting via formdata Parameter vulnerability discovered by zer0gh0st in WordPress Plugin LiquidPoll versions = 3.3.78...

CVE-2026-1860

The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the getitemspermissionscheck permission callback on the /kaliforms/v1/forms/id REST API endpoint only checking for the editposts capability without...