CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
A vulnerability in @astrojs/netlify prior to version 7.0.13 allows for improper matching of image patterns, potentially leading to unauthorized access to resources. Patterns using wildcards can match more paths and hosts than intended.
Astro is a web framework that prior to version 6.4.6 had an issue with SSR apps using prerendered error pages. When an error occurred, these pages were fetched over HTTP, allowing an attacker to direct the request to an arbitrary host.
In versions prior to 6.4.6 of the Astro framework, the spreadAttributes function in the server-side rendering pipeline did not sanitize object keys against injection, allowing attackers to add arbitrary HTML attributes, including event handlers.
NLTK prior to 3.10.0-rc1 is vulnerable to path traversal in nltk.data.load() when using the nltk: URL scheme. The regex check runs before URL decoding, allowing an attacker to bypass protection and read arbitrary files from the filesystem.
The Hono framework prior to version 4.12.25 has a vulnerability in the Body Limit middleware, which trusts the request's Content-Length header to determine if the body is within the allowed limit. On AWS Lambda, a client can declare a smaller Content-Length while sending a larger body, allowing them to bypass the limit.
WebP Server Go version 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory. Attackers can exploit percent-encoded backslashes (%5C) to bypass sanitization in handler/router.go.
CVE ID 2026-53778 has been rejected or withdrawn by its CVE Numbering Authority.
React Router versions from 7.12.0 to 7.15.1 had insufficient CSRF checks in Framework Mode that operated on POST requests but were bypassed on PUT/PATCH/DELETE requests. This vulnerability is fixed in version 7.15.1.
Astro is a web framework that prior to version 6.3.3 had a vulnerability where components using the client:* directive inserted slot content into a data-astro-template attribute without proper escaping, allowing an attacker to inject arbitrary HTML and leading to reflected XSS during SSR.
A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data. An adjacent attacker may exploit this vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized command execution during device initialization or provisioning workflows. This typically occurs when the device is in a factory-default or unconfigured state.
The Advanced Linux Sound Architecture (ALSA) library before version 1.2.16.1 contains a double-free vulnerability in the parse_def() function, allowing attackers to corrupt memory by supplying maliciously crafted ALSA configuration text. The issue occurs when parsing nested configuration blocks, where return values are not checked, leading to snd_config_delete() being called twice on the same already-freed node.
Vulnerability in http-proxy-middleware from version 0.16.0 to 2.0.10, 3.0.6, and 4.1.0 involves incorrect matching of host+path router entries. The implementation uses unanchored substring matching instead of full matching, allowing an attacker to route requests to an unintended backend via a crafted Host header.
In the piscina library, prior to versions 6.0.0-rc.2, 5.2.0, and 4.9.3, there was a vulnerability related to reading the filename option, which could lead to the execution of malicious code in worker threads.
Hono is a web application framework that prior to version 4.12.25 had a vulnerability in the CORS middleware. With 'credentials: true' and no explicit origin, the middleware reflected the request's origin, allowing any site to make credentialed cross-origin requests.
Hono is a web application framework that prior to version 4.12.25 on AWS Lambda@Edge had an issue with repeated request headers. The adapter wrote header values using Headers.set, causing earlier values to be overwritten, and only the last one reached the application.
Hono is a web application framework that supports any JavaScript runtime. Prior to version 4.12.25, on AWS Lambda, ALB single-header responses and VPC Lattice v2 responses join multiple Set-Cookie headers into one comma-separated value, leading to issues with proper processing by clients.
In Hono framework before version 4.12.25 on Windows hosts, an encoded backslash (%5C) in the request path decodes to a separator, allowing an attacker to read static files protected by prefix-mounted middleware.
In versions prior to 2.8.0 of the opentelemetry-js library, the W3CBaggagePropagator.extract() method in @opentelemetry/core does not enforce size limits when parsing HTTP headers. The W3C Baggage specification recommends a maximum size of 8,192 bytes and 180 entries, which was not enforced for incoming headers.
Vulnerability in Starlette framework from version 0.4.1 to 1.3.1 causes max_fields and max_part_size limits for request.form() to be enforced only for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can send a request body with an arbitrarily large number of fields or an arbitrarily large field, bypassing configured limits.
In Starlette before version 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled.

