Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.1 HIGH
CVE-2026-54290 — Hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the …

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware refle…

hono | Remote | Misconfiguration
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
4.8 MEDIUM
CVE-2026-54289 — Hono: Lambda@Edge adapter keeps only the last value of a repeated request header, droppin…

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several…

hono | Remote | Information Disclosure
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
5.3 MEDIUM
CVE-2026-54287 — Hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping co…

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set…

hono | Remote | Misconfiguration
Jun 22, 2026 Jun 22, 2026
Jun 22, 2026
Jun 22, 2026
5.9 MEDIUM
CVE-2026-54286 — Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Window…

hono | Remote | Path Traversal
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
5.3 MEDIUM
CVE-2026-54285 — opentelemetry-js: Unbounded memory allocation in W3C Baggage propagation

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. …

Remote | Information Disclosure
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.5 HIGH
CVE-2026-54283 — Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded e…

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are …

starlette | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
5.3 MEDIUM
CVE-2026-54282 — Starlette: Unvalidated request path concatenated into authority poisons request.url.hostn…

Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating…

starlette | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54280 — AIOHTTP: Payload Response Resources Are Not Closed After Mid-Body Disconnect

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a pa…

aiohttp | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54279 — AIOHTTP: Host-Only Cookies Become Domain Cookies After CookieJar Persistence

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save() and then restored later with CookieJar.load() l…

aiohttp | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54278 — AIOHTTP: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chun…

aiohttp | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54277 — AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using…

aiohttp | Remote | Denial of Service
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
6.3 MEDIUM
CVE-2026-54276 — AIOHTTP: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. This…

aiohttp | Remote | Authentication
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
7.5 HIGH
CVE-2026-54275 — AIOHTTP: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an applica…

aiohttp | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54274 — AIOHTTP: Incomplete websocket frame payloads bypass memory limits

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual…

aiohttp | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-54273 — AIOHTTP: HTTP/1 Pipelined Requests Queue Without Limit

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able…

aiohttp | Remote | Denial of Service
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.2 HIGH
CVE-2026-54271 — protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected ve…

protobufjs protobufjs-cli | Remote | Injection
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
5.3 MEDIUM
CVE-2026-54270 — protobufjs: Memory amplification from preserved unknown fields in binary decode

protobufjs compiles protobuf definitions into JavaScript (JS) functions. From 8.2.0 to 8.4.2, protobufjs preserved unknown wire elements in message.$unknowns and did not provide a decode-time option …

protobufjs | Remote | Misconfiguration
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
5.3 MEDIUM
CVE-2026-54269 — protobufjs: Schema-derived names can shadow runtime-significant properties

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobuf…

protobufjs protobufjs-cli | Remote | Misconfiguration
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
5.5 MEDIUM
CVE-2026-53632 — NTLMv2 hash disclosure via UNC path handling on Windows

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path…

vite vite-plus | Remote | Information Disclosure
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.2 HIGH
CVE-2026-53571 — Vite: `server.fs.deny` bypass on Windows alternate paths

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s de…

windows vite vite\+ | Remote | Path Traversal
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
Showing 20 of 8036 Results