CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-53779
High

WebP Server Go version 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory. Attackers can exploit percent-encoded backslashes (%5C) to bypass sanitization in handler/router.go.

CVE-2026-50146
High

Astro is a web framework that prior to version 6.3.3 had a vulnerability where components using the client:* directive inserted slot content into a data-astro-template attribute without proper escaping, allowing an attacker to inject arbitrary HTML and leading to reflected XSS during SSR.

CVE-2026-11834
High

A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data. An adjacent attacker may exploit this vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized command execution during device initialization or provisioning workflows. This typically occurs when the device is in a factory-default or unconfigured state.

CVE-2026-55602
High

Vulnerability in http-proxy-middleware from version 0.16.0 to 2.0.10, 3.0.6, and 4.1.0 involves incorrect matching of host+path router entries. The implementation uses unanchored substring matching instead of full matching, allowing an attacker to route requests to an unintended backend via a crafted Host header.

CVE-2026-55388
High

In the piscina library, prior to versions 6.0.0-rc.2, 5.2.0, and 4.9.3, there was a vulnerability related to reading the filename option, which could lead to the execution of malicious code in worker threads.

CVE-2026-54290
High

Hono is a web application framework that prior to version 4.12.25 had a vulnerability in the CORS middleware. With 'credentials: true' and no explicit origin, the middleware reflected the request's origin, allowing any site to make credentialed cross-origin requests.

CVE-2026-54283
High

Vulnerability in Starlette framework from version 0.4.1 to 1.3.1 causes max_fields and max_part_size limits for request.form() to be enforced only for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can send a request body with an arbitrarily large number of fields or an arbitrarily large field, bypassing configured limits.

CVE-2026-54280
High

In the AIOHTTP library before version 3.14.1, payload resources are not properly closed when a client disconnects during a write operation. This can lead to temporary resource exhaustion, such as open file handles, until they are released by garbage collection.

CVE-2026-54279
High

In the AIOHTTP library before version 3.14.1, there is a vulnerability where host-only cookies saved with CookieJar.save() and later restored with CookieJar.load() lose their host-only status.

CVE-2026-54278
High

In the AIOHTTP library before version 3.14.1, a vulnerability was found where a compressed request body could be decompressed into memory in one chunk during cleanup. An attacker can send a specially crafted compressed payload that, after decompression, could lead to server overload (a zip bomb edge case).

CVE-2026-54277
High

In the AIOHTTP library before version 3.14.1, a vulnerability allows bypassing the max_line_size check in HTTP requests when using the optimized C parser. An attacker can send oversized lines, causing excessive memory consumption and potentially leading to a DoS attack.

CVE-2026-54275
High

In the AIOHTTP library before version 3.14.1, a vulnerability was found that allows bypassing the TLS SNI check for the server_hostname parameter when reusing an existing connection. If an application makes multiple requests to the same domain but with different server_hostname values, later calls may incorrectly reuse the previous connection instead of being rejected.

CVE-2026-54274
High

A vulnerability in AIOHTTP before version 3.14.1 allows an attacker to bypass memory limits by sending large incomplete WebSocket frame payloads. This can lead to excessive memory consumption and potential server resource exhaustion.

CVE-2026-54273
High

In the AIOHTTP library before version 3.14.1, there was no limit on the number of pipelined requests that could be queued. An attacker can exploit this to cause excessive memory usage, potentially leading to a DoS attack.

CVE-2026-54271
High

In protobufjs-cli, prior to versions 1.3.2 and 2.5.0, there was an incomplete fix for unsafe name handling in static code generation. Affected versions could emit unsafe JavaScript references when generating static output from crafted JSON descriptor input.

CVE-2026-53571
High

Vite is a frontend tooling framework for JavaScript that, prior to versions 8.0.16, 7.3.5, and 6.4.3, could return the contents of files specified by server.fs.deny to the browser on Windows. Issues with NTFS ADS path normalization allowed unauthorized access to sensitive files.

CVE-2026-53539
High

The vulnerability in Python-Multipart before version 0.0.30 causes quadratic computational complexity when parsing application/x-www-form-urlencoded bodies using semicolons as separators. An attacker can send a small crafted request with many semicolon-separated fields, leading to high CPU usage and potential resource exhaustion.

CVE-2026-50269
High

In the AIOHTTP library before version 3.14.0, a vulnerability allows HTTP header injection through attacker-controlled input included in multipart/payload headers. If an application passes user-controlled strings into `MultipartWriter.append(headers=...)` or `Payload.headers`, an attacker may modify the request to inject headers or change its contents.

CVE-2026-50170
High

A vulnerability was found in Angular's @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache does not inspect the withCredentials flag or Cookie header, causing credentialed user-specific responses to be cached in the shared TransferState. This can leak private data across users via caching layers like CDN or reverse proxy.

CVE-2026-50168
High

A vulnerability in the @angular/platform-server package allows attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This issue arises from a parser differential between the strict WHATWG URL parser and the lenient Domino parser, enabling an SSRF attack.

PreviousPage 79 of 3342Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS