CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.13)

CVE-2026-54280
High

In the AIOHTTP library before version 3.14.1, payload resources are not properly closed when a client disconnects during a write operation. This can lead to temporary resource exhaustion, such as open file handles, until they are released by garbage collection.

CVE-2026-54279
High

In the AIOHTTP library before version 3.14.1, there is a vulnerability where host-only cookies saved with CookieJar.save() and later restored with CookieJar.load() lose their host-only status.

CVE-2026-54278
High

In the AIOHTTP library before version 3.14.1, a vulnerability was found where a compressed request body could be decompressed into memory in one chunk during cleanup. An attacker can send a specially crafted compressed payload that, after decompression, could lead to server overload (a zip bomb edge case).

CVE-2026-54277
High

In the AIOHTTP library before version 3.14.1, a vulnerability allows bypassing the max_line_size check in HTTP requests when using the optimized C parser. An attacker can send oversized lines, causing excessive memory consumption and potentially leading to a DoS attack.

CVE-2026-54276
Medium

In AIOHTTP before version 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. The attack requires an open redirect vulnerability on the target domain, and the attacker only receives the digest, allowing credential extraction only if cryptography is weak or passwords are reused.

CVE-2026-54275
High

In the AIOHTTP library before version 3.14.1, a vulnerability was found that allows bypassing the TLS SNI check for the server_hostname parameter when reusing an existing connection. If an application makes multiple requests to the same domain but with different server_hostname values, later calls may incorrectly reuse the previous connection instead of being rejected.

CVE-2026-54274
High

A vulnerability in AIOHTTP before version 3.14.1 allows an attacker to bypass memory limits by sending large incomplete WebSocket frame payloads. This can lead to excessive memory consumption and potential server resource exhaustion.

CVE-2026-54273
High

In the AIOHTTP library before version 3.14.1, there was no limit on the number of pipelined requests that could be queued. An attacker can exploit this to cause excessive memory usage, potentially leading to a DoS attack.

CVE-2026-54271
High

In protobufjs-cli, prior to versions 1.3.2 and 2.5.0, there was an incomplete fix for unsafe name handling in static code generation. Affected versions could emit unsafe JavaScript references when generating static output from crafted JSON descriptor input.

CVE-2026-54270
Medium

Versions of protobufjs from 8.2.0 to 8.4.2 lacked options to discard unknown fields during decoding, which could lead to excessive memory usage by decoded messages. Version 8.5.0 introduced options to disable unknown field retention, and version 8.6.2 defaults to discarding unknown fields.

CVE-2026-54269
Medium

In versions prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. This could lead to deterministic exceptions or recursive calls in various operations related to decoding and serialization.

CVE-2026-53632
Medium

The launch-editor package allows users to open files with line numbers in the editor from Node.js. Prior to version 2.14.1, this package accesses arbitrary paths, including Windows UNC paths, leading to the leakage of the user's NTLMv2 password hash.

CVE-2026-53571
High

Vite is a frontend tooling framework for JavaScript that, prior to versions 8.0.16, 7.3.5, and 6.4.3, could return the contents of files specified by server.fs.deny to the browser on Windows. Issues with NTFS ADS path normalization allowed unauthorized access to sensitive files.

CVE-2026-53540
Low

In the Python-Multipart library before version 0.0.31, the parse_form() function did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks.

CVE-2026-53539
High

The vulnerability in Python-Multipart before version 0.0.30 causes quadratic computational complexity when parsing application/x-www-form-urlencoded bodies using semicolons as separators. An attacker can send a small crafted request with many semicolon-separated fields, leading to high CPU usage and potential resource exhaustion.

CVE-2026-53538
Low

Python-Multipart before version 0.0.30 incorrectly treated the semicolon (;) as a field separator in application/x-www-form-urlencoded bodies, while the WHATWG standard and modern browsers only recognize the & character. This parsing differential allows an attacker to smuggle extra form fields past an upstream body inspecting component.

CVE-2026-53537
Low

The vulnerability in Python-Multipart before version 0.0.30 is that the parse_options_header function decodes Content-Disposition and Content-Type headers according to RFC 2231/5987, allowing the use of extended parameter syntax (e.g., filename*=charset'lang'value). An attacker can exploit this difference in header interpretation between components (e.g., WAF, proxy) and the backend to smuggle a different field name or filename, bypassing security inspection.

CVE-2026-50556
Medium

A Cross-Site Scripting (XSS) vulnerability exists in Angular's @angular/platform-server component when rendering dynamic content inside <noscript> elements during Server-Side Rendering (SSR). The domino library fails to escape the closing </noscript> tag, allowing injection of arbitrary scripts.

CVE-2026-50555
Medium

A Cross-Site Scripting (XSS) vulnerability exists in Angular's @angular/platform-server DOM emulation dependency (domino) when serializing raw-text elements like <script>, <style>, and <iframe>. A Unicode index alignment bug causes dynamic text with astral characters (e.g., emojis) before a closing tag to be improperly escaped, allowing JavaScript injection. The flaw is fixed in versions 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.

CVE-2026-50269
High

In the AIOHTTP library before version 3.14.0, a vulnerability allows HTTP header injection through attacker-controlled input included in multipart/payload headers. If an application passes user-controlled strings into `MultipartWriter.append(headers=...)` or `Payload.headers`, an attacker may modify the request to inject headers or change its contents.

PreviousPage 227 of 4549Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS