Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-54273 — AIOHTTP: HTTP/1 Pipelined Requests Queue Without Limit

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able…

aiohttp | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.2 HIGH
CVE-2026-54271 — protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected ve…

protobufjs protobufjs-cli | Remote | Injection
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
5.3 MEDIUM
CVE-2026-54270 — protobufjs: Memory amplification from preserved unknown fields in binary decode

protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 to 8.4.2, protobufjs preserved unknown wire elements in message.$unknowns and did not provide a decode-time option …

protobufjs | Remote | Misconfiguration
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
5.3 MEDIUM
CVE-2026-54269 — protobufjs: Schema-derived names can shadow runtime-significant properties

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobuf…

protobufjs protobufjs-cli | Remote | Misconfiguration
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
5.5 MEDIUM
CVE-2026-53632 — NTLMv2 hash disclosure via UNC path handling on Windows

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path…

vite vite-plus | Remote | Information Disclosure
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.2 HIGH
CVE-2026-53571 — Vite: `server.fs.deny` bypass on Windows alternate paths

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s de…

windows vite vite\+ | Remote | Path Traversal
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
3.7 LOW
CVE-2026-53540 — Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A …

python-multipart | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-53539 — Python-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU…

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step look…

python-multipart | Remote | Injection
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
3.7 LOW
CVE-2026-53538 — Python-Multipart: Semicolon treated as querystring field separator enables parameter smug…

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATW…

python-multipart | Remote | Injection
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-53537 — Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended para…

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparentl…

python-multipart | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.6 HIGH
CVE-2026-50556 — Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripti…

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site S…

angular angularjs angular_language_service | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
8.6 HIGH
CVE-2026-50555 — Angular: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripti…

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site S…

angular angularjs angular_language_service | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-50269 — AIOHTTP: CRLF injection in multipart headers

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to i…

aiohttp | Remote | Injection
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
6.1 MEDIUM
CVE-2026-50184 — Angular: Request Credential & Cache Policy Stripping in Angular Service Worker

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in th…

angular angularjs angular_language_service | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.2 HIGH
CVE-2026-50171 — Angular: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Se…

angular angularjs angular_language_service | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.2 HIGH
CVE-2026-50170 — Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCac…

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerabilit…

angular angularjs angular_language_service | Remote | Information Disclosure
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
6.1 MEDIUM
CVE-2026-50169 — Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the…

angular angularjs angular_language_service | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.8 HIGH
CVE-2026-50168 — Angular: URL Parser Differential in @angular/platform-server leading to SSRF Allowlist By…

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in th…

angular angularjs angular_language_service | Remote | Server-Side Request Forgery
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
3.6 LOW
CVE-2026-49356 — Babel: Arbitrary File Read via sourceMappingURL Comment in @babel/core

Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile…

babel | Information Disclosure
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-48712 — protobufjs: Denial of service through unbounded Any expansion during JSON conversion

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or…

protobufjs | Remote | Information Disclosure
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
Showing 20 of 7983 Results