CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
WebP Server Go version 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory. Attackers can exploit percent-encoded backslashes (%5C) to bypass sanitization in handler/router.go.
Astro is a web framework that prior to version 6.3.3 had a vulnerability where components using the client:* directive inserted slot content into a data-astro-template attribute without proper escaping, allowing an attacker to inject arbitrary HTML and leading to reflected XSS during SSR.
A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data. An adjacent attacker may exploit this vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized command execution during device initialization or provisioning workflows. This typically occurs when the device is in a factory-default or unconfigured state.
Vulnerability in http-proxy-middleware from version 0.16.0 to 2.0.10, 3.0.6, and 4.1.0 involves incorrect matching of host+path router entries. The implementation uses unanchored substring matching instead of full matching, allowing an attacker to route requests to an unintended backend via a crafted Host header.
In the piscina library, prior to versions 6.0.0-rc.2, 5.2.0, and 4.9.3, there was a vulnerability related to reading the filename option, which could lead to the execution of malicious code in worker threads.
Hono is a web application framework that prior to version 4.12.25 had a vulnerability in the CORS middleware. With 'credentials: true' and no explicit origin, the middleware reflected the request's origin, allowing any site to make credentialed cross-origin requests.
Vulnerability in Starlette framework from version 0.4.1 to 1.3.1 causes max_fields and max_part_size limits for request.form() to be enforced only for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can send a request body with an arbitrarily large number of fields or an arbitrarily large field, bypassing configured limits.
In the AIOHTTP library before version 3.14.1, payload resources are not properly closed when a client disconnects during a write operation. This can lead to temporary resource exhaustion, such as open file handles, until they are released by garbage collection.
In the AIOHTTP library before version 3.14.1, there is a vulnerability where host-only cookies saved with CookieJar.save() and later restored with CookieJar.load() lose their host-only status.
In the AIOHTTP library before version 3.14.1, a vulnerability was found where a compressed request body could be decompressed into memory in one chunk during cleanup. An attacker can send a specially crafted compressed payload that, after decompression, could lead to server overload (a zip bomb edge case).
In the AIOHTTP library before version 3.14.1, a vulnerability allows bypassing the max_line_size check in HTTP requests when using the optimized C parser. An attacker can send oversized lines, causing excessive memory consumption and potentially leading to a DoS attack.
In the AIOHTTP library before version 3.14.1, a vulnerability was found that allows bypassing the TLS SNI check for the server_hostname parameter when reusing an existing connection. If an application makes multiple requests to the same domain but with different server_hostname values, later calls may incorrectly reuse the previous connection instead of being rejected.
A vulnerability in AIOHTTP before version 3.14.1 allows an attacker to bypass memory limits by sending large incomplete WebSocket frame payloads. This can lead to excessive memory consumption and potential server resource exhaustion.
In the AIOHTTP library before version 3.14.1, there was no limit on the number of pipelined requests that could be queued. An attacker can exploit this to cause excessive memory usage, potentially leading to a DoS attack.
In protobufjs-cli, prior to versions 1.3.2 and 2.5.0, there was an incomplete fix for unsafe name handling in static code generation. Affected versions could emit unsafe JavaScript references when generating static output from crafted JSON descriptor input.
Vite is a frontend tooling framework for JavaScript that, prior to versions 8.0.16, 7.3.5, and 6.4.3, could return the contents of files specified by server.fs.deny to the browser on Windows. Issues with NTFS ADS path normalization allowed unauthorized access to sensitive files.
The vulnerability in Python-Multipart before version 0.0.30 causes quadratic computational complexity when parsing application/x-www-form-urlencoded bodies using semicolons as separators. An attacker can send a small crafted request with many semicolon-separated fields, leading to high CPU usage and potential resource exhaustion.
In the AIOHTTP library before version 3.14.0, a vulnerability allows HTTP header injection through attacker-controlled input included in multipart/payload headers. If an application passes user-controlled strings into `MultipartWriter.append(headers=...)` or `Payload.headers`, an attacker may modify the request to inject headers or change its contents.
A vulnerability was found in Angular's @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache does not inspect the withCredentials flag or Cookie header, causing credentialed user-specific responses to be cached in the shared TransferState. This can leak private data across users via caching layers like CDN or reverse proxy.
A vulnerability in the @angular/platform-server package allows attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This issue arises from a parser differential between the strict WHATWG URL parser and the lenient Domino parser, enabling an SSRF attack.

