CVE-2026-25150 Prototype Pollution via FormData Processing in Qwik City

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails ...

CVE-2026-25155 [qwik-city] CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)

Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0...

CVE-2026-25155 [qwik-city] CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)

Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0...

CVE-2025-14554

The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderformdata' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2025-14554

CVE-2025-14554 affects the WordPress plugin “Sell BTC – Cryptocurrency Selling Calculator.” The vulnerability is a Stored Cross-Site Scripting (XSS) flaw via the AJAX action ‘orderform_data’ in versions up to and including 1.5, caused by insufficient input sanitization and output escaping. This a...

CVE-2025-15510

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5ExportForms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configuration...

CVE-2025-15510

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5ExportForms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configuration...

CVE-2025-15510 NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.8 - Missing Authorization to Unauthenticated Sensitive Information Exposure

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5ExportForms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configuration...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: nodejs-form-data (UTSA-2026-005212)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005212 advisory. Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated with program files...

CVE-2026-0825

CVE-2026-0825 describes an authorization bypass in the WordPress plugin stack combining Database for Contact Form 7, WPforms, and Elementor forms (WordPress) via the CSV export endpoint. The CSV export handler bypasses per-entry filtering, allowing unauthenticated attackers to download all submis...

CVE-2026-0825 Database for Contact Form 7, WPforms, Elementor forms <= 1.4.5 - Missing Authorization to Unauthenticated Form Data Exfiltration via CSV Export

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download...

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : Form-Data vulnerability (USN-7976-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-7976-1 advisory. Ben Shonaldmann discovered that Form-data incorrectly generated boundary values for multipart...

Ubuntu: Security Advisory (USN-7976-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Malicious code in @sommos/create-program-template-form-data (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fa7bdf06061a821a92bec72c1ea8826213552ec4486d81e7776553a74293dd79 The package @sommos/create-program-template-form-data was found to contain malicious code. Source: ossf-package-analysis...

USN-7976-1: Form-Data vulnerability

Ben Shonaldmann discovered that Form-data incorrectly generated boundary values for multipart form-encoded data, leading to predictable values. A remote attacker could possibly use this issue to make arbitrary requests to internal systems...

USN-7976-1 node-form-data vulnerability

Ben Shonaldmann discovered that Form-data incorrectly generated boundary values for multipart form-encoded data, leading to predictable values. A remote attacker could possibly use this issue to make arbitrary requests to internal systems...

CVE-2026-24557

Insertion of Sensitive Information Into Sent Data vulnerability in WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension allows Retrieve Embedded Sensitive Data.This issue affects Contact Form 7 GetResponse Extension: from n/a through = 1.0.8...

CVE-2026-0633

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without...

Security Bulletin: A vulnerability in form-data affect IBM® Db2® Big SQL.

Summary A vulnerability in form-data affect IBM® Db2® Big SQL 8.2 on IBM Cloud Pak for Data 5.2 and earlier. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated...

tornado: Tornado Quadratic DoS via Crafted Multipart Parameters

A denial of service flaw has been discovered in the Tornado networking library. Affected versions of Tornado us an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The parseparam function in httputil.py is used to parse specific HTTP header values,...