CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.14)

CVE-2026-54286
Medium

In Hono framework before version 4.12.25 on Windows hosts, an encoded backslash (%5C) in the request path decodes to a separator, allowing an attacker to read static files protected by prefix-mounted middleware.

CVE-2026-54285
Medium

In versions prior to 2.8.0 of the opentelemetry-js library, the W3CBaggagePropagator.extract() method in @opentelemetry/core does not enforce size limits when parsing HTTP headers. The W3C Baggage specification recommends a maximum size of 8,192 bytes and 180 entries, which was not enforced for incoming headers.

CVE-2026-54283
High

Vulnerability in Starlette framework from version 0.4.1 to 1.3.1 causes max_fields and max_part_size limits for request.form() to be enforced only for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can send a request body with an arbitrarily large number of fields or an arbitrarily large field, bypassing configured limits.

CVE-2026-54282
Low

In Starlette before version 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled.

CVE-2026-54280
High

In the AIOHTTP library before version 3.14.1, payload resources are not properly closed when a client disconnects during a write operation. This can lead to temporary resource exhaustion, such as open file handles, until they are released by garbage collection.

CVE-2026-54279
High

In the AIOHTTP library before version 3.14.1, there is a vulnerability where host-only cookies saved with CookieJar.save() and later restored with CookieJar.load() lose their host-only status.

CVE-2026-54278
High

In the AIOHTTP library before version 3.14.1, a vulnerability was found where a compressed request body could be decompressed into memory in one chunk during cleanup. An attacker can send a specially crafted compressed payload that, after decompression, could lead to server overload (a zip bomb edge case).

CVE-2026-54277
High

In the AIOHTTP library before version 3.14.1, a vulnerability allows bypassing the max_line_size check in HTTP requests when using the optimized C parser. An attacker can send oversized lines, causing excessive memory consumption and potentially leading to a DoS attack.

CVE-2026-54276
Medium

In AIOHTTP before version 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. The attack requires an open redirect vulnerability on the target domain, and the attacker only receives the digest, allowing credential extraction only if cryptography is weak or passwords are reused.

CVE-2026-54275
High

In the AIOHTTP library before version 3.14.1, a vulnerability was found that allows bypassing the TLS SNI check for the server_hostname parameter when reusing an existing connection. If an application makes multiple requests to the same domain but with different server_hostname values, later calls may incorrectly reuse the previous connection instead of being rejected.

CVE-2026-54274
High

A vulnerability in AIOHTTP before version 3.14.1 allows an attacker to bypass memory limits by sending large incomplete WebSocket frame payloads. This can lead to excessive memory consumption and potential server resource exhaustion.

CVE-2026-54273
High

In the AIOHTTP library before version 3.14.1, there was no limit on the number of pipelined requests that could be queued. An attacker can exploit this to cause excessive memory usage, potentially leading to a DoS attack.

CVE-2026-54271
High

In protobufjs-cli, prior to versions 1.3.2 and 2.5.0, there was an incomplete fix for unsafe name handling in static code generation. Affected versions could emit unsafe JavaScript references when generating static output from crafted JSON descriptor input.

CVE-2026-54270
Medium

Versions of protobufjs from 8.2.0 to 8.4.2 lacked options to discard unknown fields during decoding, which could lead to excessive memory usage by decoded messages. Version 8.5.0 introduced options to disable unknown field retention, and version 8.6.2 defaults to discarding unknown fields.

CVE-2026-54269
Medium

In versions prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. This could lead to deterministic exceptions or recursive calls in various operations related to decoding and serialization.

CVE-2026-53632
Medium

The launch-editor package allows users to open files with line numbers in the editor from Node.js. Prior to version 2.14.1, this package accesses arbitrary paths, including Windows UNC paths, leading to the leakage of the user's NTLMv2 password hash.

CVE-2026-53571
High

Vite is a frontend tooling framework for JavaScript that, prior to versions 8.0.16, 7.3.5, and 6.4.3, could return the contents of files specified by server.fs.deny to the browser on Windows. Issues with NTFS ADS path normalization allowed unauthorized access to sensitive files.

CVE-2026-53540
Low

In the Python-Multipart library before version 0.0.31, the parse_form() function did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks.

CVE-2026-53539
High

The vulnerability in Python-Multipart before version 0.0.30 causes quadratic computational complexity when parsing application/x-www-form-urlencoded bodies using semicolons as separators. An attacker can send a small crafted request with many semicolon-separated fields, leading to high CPU usage and potential resource exhaustion.

CVE-2026-53538
Low

Python-Multipart before version 0.0.30 incorrectly treated the semicolon (;) as a field separator in application/x-www-form-urlencoded bodies, while the WHATWG standard and modern browsers only recognize the & character. This parsing differential allows an attacker to smuggle extra form fields past an upstream body inspecting component.

PreviousPage 246 of 4505Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS