Lucene search
+L

62 matches found

cvelist
cvelist
added 2026/06/26 7:17 a.m.39 views

CVE-2026-57874 GV-LPC2011/LPC2211 - unauthorized buffer overflow vulnerability (IEEE8021x_upload.cgi)

An unauthenticated buffer overflow vulnerability exists in IEEE8021xupload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when parsing filename values in multipart upload data. A remote attacker may exploit this...

7.5CVSS0.00318EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/06/26 7:17 a.m.6 views

CVE-2026-57874

An unauthenticated buffer overflow vulnerability exists in IEEE8021xupload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when parsing filename values in multipart upload data. A remote attacker may exploit this...

7.5CVSS5.9AI score0.00318EPSS
Exploits0References2Affected Software1
ossf
ossf
added 2026/06/19 5:10 a.m.20 views

Malicious code in node-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d71bcdec983467ab6a47b538e524abc1cdafc98b411761bffb375be17d72009 On npm install, package.json's postinstall hook executes node test.js which invokes code in index.js that performs two distinct attacks on the...

5.9AI score
Exploits0References4
nvd
nvd
added 2026/06/15 2:16 p.m.13 views

CVE-2026-5079

Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of...

7.5CVSS0.00278EPSS
Exploits0References2
cvelist
cvelist
added 2026/06/15 1:56 p.m.43 views

CVE-2026-5079 multer vulnerable to Denial of Service via deeply nested field names

Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of...

7.5CVSS0.00278EPSS
Exploits0References2
githubexploit
githubexploit
added 2026/06/05 11:9 p.m.78 views

Exploit for Deserialization of Untrusted Data in Facebook React

React2Shell CVE-2025-55182 Next.js: CVE-2025-66478Unauthenti...

10CVSS8AI score0.99562EPSS
Exploits389
attackerkb
attackerkb
added 2026/05/12 8:50 a.m.11 views

CVE-2026-8161

[email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as proto, constructor, or toString, the parser invokes .push on the inherited...

7.5CVSS5.8AI score0.00473EPSS
Exploits1References3
suse
suse
added 2026/04/22 7:22 a.m.9 views

Security update for python-python-multipart

This update for python-python-multipart fixes the following issue: CVE-2026-40347: crafted multipart/form-data can cause a denial of service bsc1262403. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

6.9CVSS5.7AI score0.00351EPSS
Exploits0References4
cvelist
cvelist
added 2026/04/02 5:10 p.m.21 views

CVE-2026-26962 Rack: Header injection in multipart requests

Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename o...

4.8CVSS0.00227EPSS
Exploits0References1
cve
cve
added 2026/04/02 4:46 p.m.24 views

CVE-2026-34829

Rack is vulnerable to a Denial of Service caused by unbounded multipart file uploads when a request uses multipart/form-data without a Content-Length header. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO if CONTENT_LENGTH exists; w...

7.5CVSS5.8AI score0.00369EPSS
Exploits0References4Affected Software1
redhatcve
redhatcve
added 2026/03/28 4:59 p.m.7 views

CVE-2026-5027

The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences '../'...

8.8CVSS6AI score0.31405EPSS
Exploits4References1
nessus
nessus
added 2026/01/02 12:0 a.m.8 views

Amazon Linux 2023 : php8.2, php8.2-bcmath, php8.2-cli (ALAS2023-2025-872)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-872 advisory. The upstream advisory describes this issue as follows: A memory-related vulnerability in PHP's filter handling system, particularly when processing input with convert.quoted-printable-decode...

9.8CVSS7.3AI score0.02286EPSS
Exploits6References18
osv
osv
added 2025/11/12 9:29 p.m.8 views

MGASA-2025-0282 Updated python-tornado packages fix security vulnerability

Tornado vulnerable to excessive logging caused by malformed multipart form data. CVE-2025-47287...

7.5CVSS6.9AI score0.00672EPSS
Exploits0References3
nessus
nessus
added 2025/11/07 12:0 a.m.2 views

SUSE SLES12 Security Update : nodejs18 (SUSE-SU-2025:3919-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2025:3919-1 advisory. - CVE-2025-7783: Switched away from Math.random in boundary values for multipart form-encoded data bsc1246818 Tenable has extracted the preceding...

9.4CVSS6.6AI score0.01735EPSS
Exploits1References4
debiancve
debiancve
added 2025/10/07 2:42 p.m.8 views

CVE-2025-61771

Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, Rack::Multipart::Parser stores non-file form fields parts without a filename entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request hundreds of megabytes or...

7.5CVSS5.8AI score0.00528EPSS
Exploits0
euvd
euvd
added 2025/10/03 8:7 p.m.5 views

EUVD-2023-0282

Malicious code in bioql PyPI...

7.5CVSS7AI score0.0142EPSS
Exploits0References11
euvd
euvd
added 2025/10/03 8:7 p.m.7 views

EUVD-2023-0280

Malicious code in bioql PyPI...

8CVSS7.1AI score0.01072EPSS
Exploits0References8
osv
osv
added 2025/08/15 12:39 p.m.6 views

OESA-2025-1996 python-werkzeug security update

A comprehensive WSGI web application library Security Fixes: Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal...

8CVSS6.9AI score0.01072EPSS
Exploits0References2
osv
osv
added 2025/07/17 12:30 p.m.9 views

USN-7643-1 libsoup3, libsoup2.4 vulnerabilities

Jan Różański discovered that libsoup incorrectly handled range headers in an HTTP request. An attacker could possibly use this issue to cause libsoup to consume excessive memory, resulting in a denial of service. CVE-2025-32907 Alon Zahavi discovered that libsoup incorrectly handled memory when...

7.5CVSS6.9AI score0.00765EPSS
Exploits0References6
redhatcve
redhatcve
added 2025/06/21 3:43 a.m.5 views

CVE-2025-6375

A flaw was found in Poco. The MultipartInputStream function in Net/src/MultipartReader.cpp contains a NULL pointer dereference triggered by crafted input. This flaw allows a local attacker to cause a denial of service. Manipulation occurs during the processing of multipart data. The vulnerability...

4.8CVSS6.7AI score0.00212EPSS
Exploits1References2
Rows per page
Query Builder