Malicious code in node-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d71bcdec983467ab6a47b538e524abc1cdafc98b411761bffb375be17d72009 On npm install, package.json's postinstall hook executes node test.js which invokes code in index.js that performs two distinct attacks on the...

CVE-2026-5079

Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of...

CVE-2026-5079 multer vulnerable to Denial of Service via deeply nested field names

Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of...

Exploit for Deserialization of Untrusted Data in Facebook React

React2Shell CVE-2025-55182 Next.js: CVE-2025-66478Unauthenti...

CVE-2026-8161

[email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as proto, constructor, or toString, the parser invokes .push on the inherited...

Security update for python-python-multipart

This update for python-python-multipart fixes the following issue: CVE-2026-40347: crafted multipart/form-data can cause a denial of service bsc1262403. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

CVE-2026-26962 Rack: Header injection in multipart requests

Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename o...

CVE-2026-34829

Rack is vulnerable to a Denial of Service caused by unbounded multipart file uploads when a request uses multipart/form-data without a Content-Length header. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO if CONTENT_LENGTH exists; w...

CVE-2026-5027

The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences '../'...

Amazon Linux 2023 : php8.2, php8.2-bcmath, php8.2-cli (ALAS2023-2025-872)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-872 advisory. The upstream advisory describes this issue as follows: A memory-related vulnerability in PHP's filter handling system, particularly when processing input with convert.quoted-printable-decode...

MGASA-2025-0282 Updated python-tornado packages fix security vulnerability

Tornado vulnerable to excessive logging caused by malformed multipart form data. CVE-2025-47287...

SUSE SLES12 Security Update : nodejs18 (SUSE-SU-2025:3919-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2025:3919-1 advisory. - CVE-2025-7783: Switched away from Math.random in boundary values for multipart form-encoded data bsc1246818 Tenable has extracted the preceding...

CVE-2025-61771

Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, Rack::Multipart::Parser stores non-file form fields parts without a filename entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request hundreds of megabytes or...

EUVD-2023-0282

Malicious code in bioql PyPI...

EUVD-2023-0280

Malicious code in bioql PyPI...

OESA-2025-1996 python-werkzeug security update

A comprehensive WSGI web application library Security Fixes: Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal...

USN-7643-1 libsoup3, libsoup2.4 vulnerabilities

Jan Różański discovered that libsoup incorrectly handled range headers in an HTTP request. An attacker could possibly use this issue to cause libsoup to consume excessive memory, resulting in a denial of service. CVE-2025-32907 Alon Zahavi discovered that libsoup incorrectly handled memory when...

CVE-2025-6375

A flaw was found in Poco. The MultipartInputStream function in Net/src/MultipartReader.cpp contains a NULL pointer dereference triggered by crafted input. This flaw allows a local attacker to cause a denial of service. Manipulation occurs during the processing of multipart data. The vulnerability...

GHSA-9WJ4-8H85-PGRW OctoPrint Vulnerable to Denial of Service through malformed HTTP request in OctoPrint

Impact OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run ...

python-tornado security update

6.4.2-2.2 - tests: add citest.fmf + update gating.yaml Related: RHEL-91999 6.4.2-2.1 - httputil: Raise errors instead of logging in multipart/form-data parsing Resolves: RHEL-91999...