Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
3.7 LOW
CVE-2026-53540 — Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A …

python-multipart | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-53539 — Python-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU…

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step look…

python-multipart | Remote | Injection
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
3.7 LOW
CVE-2026-53538 — Python-Multipart: Semicolon treated as querystring field separator enables parameter smug…

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATW…

python-multipart | Remote | Injection
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-53537 — Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended para…

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparentl…

python-multipart | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.6 HIGH
CVE-2026-50556 — Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripti…

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site S…

angular angularjs angular_language_service | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
8.6 HIGH
CVE-2026-50555 — Angular: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti…

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site S…

angular angularjs angular_language_service | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-50269 — AIOHTTP: CRLF injection in multipart headers

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to i…

aiohttp | Remote | Injection
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
6.1 MEDIUM
CVE-2026-50184 — Angular: Request Credential & Cache Policy Stripping in Angular Service Worker

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in th…

angular angularjs angular_language_service | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.2 HIGH
CVE-2026-50171 — Angular: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Se…

angular angularjs angular_language_service | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.2 HIGH
CVE-2026-50170 — Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCac…

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerabilit…

angular angularjs angular_language_service | Remote | Information Disclosure
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
6.1 MEDIUM
CVE-2026-50169 — Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the…

angular angularjs angular_language_service | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.8 HIGH
CVE-2026-50168 — Angular: URL Parser Differential in @angular/platform-server leading to SSRF Allowlist By…

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in th…

angular angularjs angular_language_service | Remote | Server-Side Request Forgery
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
3.6 LOW
CVE-2026-49356 — Babel: Arbitrary File Read via sourceMappingURL Comment in @babel/core

Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile…

babel | Information Disclosure
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-48712 — protobufjs: Denial of service through unbounded Any expansion during JSON conversion

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or…

protobufjs | Remote | Information Disclosure
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.8 HIGH
CVE-2026-46417 — Angular: SSRF via Hostname Hijacking in @angular/platform-server

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Si…

angular angularjs angular_language_service | Remote | Server-Side Request Forgery
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-42127 — Grafana pre-auth DoS through arbitrarily large input to public dashboard query handler

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON pay…

grafana | Remote | Denial of Service
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
9.0 CRITICAL
CVE-2026-12249 — Canonical ADSys Trust Store Poisoning via Plaintext HTTP Certificate Auto-Enrollment

An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services (AD CS) certificate auto-enrollment via the vendored Samba client script (in…

ubuntu | Remote | Misconfiguration
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
4.8 MEDIUM
CVE-2026-11994 — Akaunting 3.1.21 - Authenticated stored XSS in report description rendering

Akaunting 3.1.21 contains an authenticated stored Cross-Site Scripting vulnerability in the report management workflow. A user with permission to create or update reports can store arbitrary HTML/Jav…

akaunting | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
9.6 CRITICAL
CVE-2026-10789 — MCP Extension Code Injection Vulnerability in Autodesk Fusion Desktop

A maliciously crafted webpage, when visited by a user with Autodesk Fusion Desktop running and the MCP extension enabled, can trigger a vulnerability in the MCP extension that could allow arbitrary c…

fusion | Remote | Injection
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
5.3 MEDIUM
CVE-2026-9610 — Multiple Vulnerabilities in IBM Datacap

IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 exposes resources or functionality that isn't linked in the UI but is accessible by directly requesting the URL, …

datacap datacap_navigator | Remote | Authorization
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
Showing 20 of 7988 Results