CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.14)

CVE-2026-54271
High

In protobufjs-cli, prior to versions 1.3.2 and 2.5.0, there was an incomplete fix for unsafe name handling in static code generation. Affected versions could emit unsafe JavaScript references when generating static output from crafted JSON descriptor input.

CVE-2026-54270
Medium

Versions of protobufjs from 8.2.0 to 8.4.2 lacked options to discard unknown fields during decoding, which could lead to excessive memory usage by decoded messages. Version 8.5.0 introduced options to disable unknown field retention, and version 8.6.2 defaults to discarding unknown fields.

CVE-2026-54269
Medium

In versions prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. This could lead to deterministic exceptions or recursive calls in various operations related to decoding and serialization.

CVE-2026-53632
Medium

The launch-editor package allows users to open files with line numbers in the editor from Node.js. Prior to version 2.14.1, this package accesses arbitrary paths, including Windows UNC paths, leading to the leakage of the user's NTLMv2 password hash.

CVE-2026-53571
High

Vite is a frontend tooling framework for JavaScript that, prior to versions 8.0.16, 7.3.5, and 6.4.3, could return the contents of files specified by server.fs.deny to the browser on Windows. Issues with NTFS ADS path normalization allowed unauthorized access to sensitive files.

CVE-2026-53540
Low

In the Python-Multipart library before version 0.0.31, the parse_form() function did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks.

CVE-2026-53539
High

The vulnerability in Python-Multipart before version 0.0.30 causes quadratic computational complexity when parsing application/x-www-form-urlencoded bodies using semicolons as separators. An attacker can send a small crafted request with many semicolon-separated fields, leading to high CPU usage and potential resource exhaustion.

CVE-2026-53538
Low

Python-Multipart before version 0.0.30 incorrectly treated the semicolon (;) as a field separator in application/x-www-form-urlencoded bodies, while the WHATWG standard and modern browsers only recognize the & character. This parsing differential allows an attacker to smuggle extra form fields past an upstream body inspecting component.

CVE-2026-53537
Low

The vulnerability in Python-Multipart before version 0.0.30 is that the parse_options_header function decodes Content-Disposition and Content-Type headers according to RFC 2231/5987, allowing the use of extended parameter syntax (e.g., filename*=charset'lang'value). An attacker can exploit this difference in header interpretation between components (e.g., WAF, proxy) and the backend to smuggle a different field name or filename, bypassing security inspection.

CVE-2026-50555
Medium

A Cross-Site Scripting (XSS) vulnerability exists in Angular's @angular/platform-server DOM emulation dependency (domino) when serializing raw-text elements like <script>, <style>, and <iframe>. A Unicode index alignment bug causes dynamic text with astral characters (e.g., emojis) before a closing tag to be improperly escaped, allowing JavaScript injection. The flaw is fixed in versions 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.

CVE-2026-50269
High

In the AIOHTTP library before version 3.14.0, a vulnerability allows HTTP header injection through attacker-controlled input included in multipart/payload headers. If an application passes user-controlled strings into `MultipartWriter.append(headers=...)` or `Payload.headers`, an attacker may modify the request to inject headers or change its contents.

CVE-2026-50184
Medium

A vulnerability in the @angular/service-worker package strips explicit security parameters (credentials and cache mode) during request reconstruction by the Angular Service Worker. This causes the browser to include active credentials where they should be omitted and caches private resources locally, leading to potential session leaks and persistent private data.

CVE-2026-50171
Medium

A Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, also used by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter, allowing a maliciously crafted string with excessively large fraction digit values to cause an unbounded loop in the roundNumber function, leading to system overload.

CVE-2026-50170
High

A vulnerability was found in Angular's @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache does not inspect the withCredentials flag or Cookie header, causing credentialed responses to be cached in TransferState. These responses are serialized into HTML and may be stored in CDN or proxy caches, leading to information disclosure between users.

CVE-2026-50169
Medium

A vulnerability in the @angular/service-worker package causes the Service Worker to strip strict redirect policies (e.g., redirect: 'error') during request reconstruction, falling back to the browser's default 'follow' behavior. This can lead to unintended following of HTTP 3xx redirects, potentially exposing cookies, credentials, or session-restricted data.

CVE-2026-50168
High

A vulnerability in the @angular/platform-server package allows attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This issue arises from a parser differential between the strict WHATWG URL parser and the lenient Domino parser, leading to an SSRF attack.

CVE-2026-49356
Low

Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read.

CVE-2026-48712
High

A vulnerability in protobufjs before versions 7.6.1 and 8.4.1 allows exhaustion of the JavaScript call stack when converting decoded protobuf messages to objects or JSON. The issue stems from the lack of a depth limit for recursion when processing nested Any values.

CVE-2026-42127
High

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion.

CVE-2026-12249
Critical

An issue was discovered in Canonical ADSys versions up to v0.16.2, involving the use of an unencrypted HTTP connection to request the CA certificate from the AD CS server. An attacker can perform a Man-in-the-Middle attack, leading to the installation of a malicious certificate in the system's local trust store.

PreviousPage 245 of 4495Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS