CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.14)
In protobufjs-cli, prior to versions 1.3.2 and 2.5.0, there was an incomplete fix for unsafe name handling in static code generation. Affected versions could emit unsafe JavaScript references when generating static output from crafted JSON descriptor input.
Versions of protobufjs from 8.2.0 to 8.4.2 lacked options to discard unknown fields during decoding, which could lead to excessive memory usage by decoded messages. Version 8.5.0 introduced options to disable unknown field retention, and version 8.6.2 defaults to discarding unknown fields.
In versions prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. This could lead to deterministic exceptions or recursive calls in various operations related to decoding and serialization.
The launch-editor package allows users to open files with line numbers in the editor from Node.js. Prior to version 2.14.1, this package accesses arbitrary paths, including Windows UNC paths, leading to the leakage of the user's NTLMv2 password hash.
Vite is a frontend tooling framework for JavaScript that, prior to versions 8.0.16, 7.3.5, and 6.4.3, could return the contents of files specified by server.fs.deny to the browser on Windows. Issues with NTFS ADS path normalization allowed unauthorized access to sensitive files.
In the Python-Multipart library before version 0.0.31, the parse_form() function did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks.
The vulnerability in Python-Multipart before version 0.0.30 causes quadratic computational complexity when parsing application/x-www-form-urlencoded bodies using semicolons as separators. An attacker can send a small crafted request with many semicolon-separated fields, leading to high CPU usage and potential resource exhaustion.
Python-Multipart before version 0.0.30 incorrectly treated the semicolon (;) as a field separator in application/x-www-form-urlencoded bodies, while the WHATWG standard and modern browsers only recognize the & character. This parsing differential allows an attacker to smuggle extra form fields past an upstream body inspecting component.
The vulnerability in Python-Multipart before version 0.0.30 is that the parse_options_header function decodes Content-Disposition and Content-Type headers according to RFC 2231/5987, allowing the use of extended parameter syntax (e.g., filename*=charset'lang'value). An attacker can exploit this difference in header interpretation between components (e.g., WAF, proxy) and the backend to smuggle a different field name or filename, bypassing security inspection.
A Cross-Site Scripting (XSS) vulnerability exists in Angular's @angular/platform-server DOM emulation dependency (domino) when serializing raw-text elements like <script>, <style>, and <iframe>. A Unicode index alignment bug causes dynamic text with astral characters (e.g., emojis) before a closing tag to be improperly escaped, allowing JavaScript injection. The flaw is fixed in versions 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
In the AIOHTTP library before version 3.14.0, a vulnerability allows HTTP header injection through attacker-controlled input included in multipart/payload headers. If an application passes user-controlled strings into `MultipartWriter.append(headers=...)` or `Payload.headers`, an attacker may modify the request to inject headers or change its contents.
A vulnerability in the @angular/service-worker package strips explicit security parameters (credentials and cache mode) during request reconstruction by the Angular Service Worker. This causes the browser to include active credentials where they should be omitted and caches private resources locally, leading to potential session leaks and persistent private data.
A Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, also used by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter, allowing a maliciously crafted string with excessively large fraction digit values to cause an unbounded loop in the roundNumber function, leading to system overload.
A vulnerability was found in Angular's @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache does not inspect the withCredentials flag or Cookie header, causing credentialed responses to be cached in TransferState. These responses are serialized into HTML and may be stored in CDN or proxy caches, leading to information disclosure between users.
A vulnerability in the @angular/service-worker package causes the Service Worker to strip strict redirect policies (e.g., redirect: 'error') during request reconstruction, falling back to the browser's default 'follow' behavior. This can lead to unintended following of HTTP 3xx redirects, potentially exposing cookies, credentials, or session-restricted data.
A vulnerability in the @angular/platform-server package allows attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This issue arises from a parser differential between the strict WHATWG URL parser and the lenient Domino parser, leading to an SSRF attack.
Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read.
A vulnerability in protobufjs before versions 7.6.1 and 8.4.1 allows exhaustion of the JavaScript call stack when converting decoded protobuf messages to objects or JSON. The issue stems from the lack of a depth limit for recursion when processing nested Any values.
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion.
An issue was discovered in Canonical ADSys versions up to v0.16.2, involving the use of an unencrypted HTTP connection to request the CA certificate from the AD CS server. An attacker can perform a Man-in-the-Middle attack, leading to the installation of a malicious certificate in the system's local trust store.

