CVE-2025-13696

The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. Th...

CVE-2025-13696

The CVE-2025-13696 case concerns the Zigaform WordPress plugin (

EUVD-2025-200214

The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. Th...

EUVD-2025-200109

Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions...

Security Bulletin: IBM Spectrum Control is vulnerable to weaknesses related to form-data (CVE-2025-7783)

Summary The form-data package is vulnerable to HTTP Parameter Pollution HPP. This vulnerability affects IBM Spectrum Control. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerabili...

TencentOS Server 4: python-tornado (TSSA-2025:0382)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0382 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

Security Bulletin: Security vulnerability in form-data may affect IBM Business Automation Workflow - CVE-2025-7783

Summary IBM Business Automation Workflow references a vulnerable copy of the form-data open source library. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated...

Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2025-7783)

Summary IBM Security SOAR uses an older version of the form-data javascript module that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended to upgrade to version 51.0.7.1 Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTIO...

Security Bulletin: Astronomer with IBM is vulnerable to HTTP parameter pollution due to the form-data package (CVE-2025-7783)

Summary Form-data is used by Astronomer with IBM as part of the HTTP processing functionality. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated with program...

Updated python-tornado packages fix security vulnerability

Tornado vulnerable to excessive logging caused by malformed multipart form data. CVE-2025-47287...

Denial-of-Service (DoS)

rack is vulnerable to Denial-Of-Service. The vulnerability is due to Rack::RequestPOST reading the entire application/x-www-form-urlencoded body into memory due to calling rack.input.readnil without enforcing a length limit, and attackers can send very large form bodies to exhaust process memory...

CVE-2025-12922 OpenClinica Community Edition CRF Data Import ImportCRFData path traversal

A vulnerability was found in OpenClinica Community Edition up to 3.12.2/3.13. This affects an unknown part of the file /ImportCRFData?action=confirm of the component CRF Data Import. Performing manipulation of the argument xmlfile results in path traversal. The attack can be initiated remotely. T...

SUSE SLES12 Security Update : nodejs18 (SUSE-SU-2025:3919-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2025:3919-1 advisory. - CVE-2025-7783: Switched away from Math.random in boundary values for multipart form-encoded data bsc1246818 Tenable has extracted the preceding...

rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion

A memory-exhaustion vulnerability exists in Rack when parsing application/x-www-form-urlencoded request bodies. Rack::RequestPOST reads the entire request body into memory without enforcing a maximum length or cap. Attackers can exploit this by sending large form submissions, potentially causing...

rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion

A memory-exhaustion vulnerability exists in Rack when parsing application/x-www-form-urlencoded request bodies. Rack::RequestPOST reads the entire request body into memory without enforcing a maximum length or cap. Attackers can exploit this by sending large form submissions, potentially causing...

rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion

A memory-exhaustion vulnerability exists in Rack when parsing application/x-www-form-urlencoded request bodies. Rack::RequestPOST reads the entire request body into memory without enforcing a maximum length or cap. Attackers can exploit this by sending large form submissions, potentially causing...

rack: Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)

A flaw was found in Rack where the Rack::Multipart::Parser buffers the multipart preamble memory without size limits. A remote attacker can send a crafted multipart/form-data request with a very large preamble before its first boundary, causing excessive memory consumption and denial of service...

Security update for nodejs18

This update for nodejs18 fixes the following issues: CVE-2025-7783: Switched away from Math.random in boundary values for multipart form-encoded data bsc1246818 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which are vulnerable to CVEs.

Summary IBM Maximo Application Suite uses "form-data 4.0.0, org.apache.cxfcxf-core 3.6.7 , net/http/internal v1.24.1, braces 3.0.2 , cross-spawn 7.0.3 , crypto/x509 1.24.1 1.24.3 , github.com/golang-jwt/jwt/v4 github.com/golang-jwt/jwt/v5 v4.5.0 v5.2.1 , httpd 2.4.37 , setuptools 78.0.2 75.8.0 ,...

OESA-2025-2580 python-tornado security update

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. By using non-blocking network I/O, Tornado can scale to tens of thousands of open connections, making it ideal for long polling, WebSockets, and other applications that require a long-lived...