Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.0 HIGH
CVE-2026-56109 — ALSA Library < 1.2.16.1 Double-Free via parse_def() in conf.c

The Advanced Linux Sound Architecture (ALSA) library before 1.2.16.1 contains a double-free vulnerability in parse_def() in src/conf.c that allows attackers to corrupt memory by supplying maliciously…

alsa-lib | Memory Corruption
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.6 HIGH
CVE-2026-55602 — http-proxy-middleware `router` host+path substring matching allows Host-header-driven bac…

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, b…

http-proxy-middleware | Remote | Path Traversal
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.1 HIGH
CVE-2026-55388 — piscina: Prototype Pollution Gadget → RCE via inherited options.filename

piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename option via plain member access. Both reads fall through…

Remote | Misconfiguration
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.1 HIGH
CVE-2026-54290 — Hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the …

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware refle…

hono | Remote | Misconfiguration
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
4.8 MEDIUM
CVE-2026-54289 — Hono: Lambda@Edge adapter keeps only the last value of a repeated request header, droppin…

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several…

hono | Remote | Information Disclosure
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
5.3 MEDIUM
CVE-2026-54287 — Hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping co…

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set…

hono | Remote | Misconfiguration
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
5.9 MEDIUM
CVE-2026-54286 — Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Window…

hono | Remote | Path Traversal
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
5.3 MEDIUM
CVE-2026-54285 — opentelemetry-js: Unbounded memory allocation in W3C Baggage propagation

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. …

Remote | Information Disclosure
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.5 HIGH
CVE-2026-54283 — Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded e…

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are …

starlette | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-54282 — Starlette: Unvalidated request path concatenated into authority poisons request.url.hostn…

Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating…

starlette | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54280 — AIOHTTP: Payload Response Resources Are Not Closed After Mid-Body Disconnect

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a pa…

aiohttp | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54279 — AIOHTTP: Host-Only Cookies Become Domain Cookies After CookieJar Persistence

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save() and then restored later with CookieJar.load() l…

aiohttp | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54278 — AIOHTTP: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chun…

aiohttp | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54277 — AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using…

aiohttp | Remote | Denial of Service
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
6.3 MEDIUM
CVE-2026-54276 — AIOHTTP: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. This…

aiohttp | Remote | Authentication
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-54275 — AIOHTTP: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an applica…

aiohttp | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54274 — AIOHTTP: Incomplete websocket frame payloads bypass memory limits

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual…

aiohttp | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54273 — AIOHTTP: HTTP/1 Pipelined Requests Queue Without Limit

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able…

aiohttp | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.2 HIGH
CVE-2026-54271 — protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected ve…

protobufjs protobufjs-cli | Remote | Injection
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
5.3 MEDIUM
CVE-2026-54270 — protobufjs: Memory amplification from preserved unknown fields in binary decode

protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 to 8.4.2, protobufjs preserved unknown wire elements in message.$unknowns and did not provide a decode-time option …

protobufjs | Remote | Misconfiguration
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
Showing 20 of 7989 Results