CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Vulnerability in http-proxy-middleware from version 0.16.0 to 2.0.10, 3.0.6, and 4.1.0 involves incorrect matching of host+path router entries. The implementation uses unanchored substring matching instead of full matching, allowing an attacker to route requests to an unintended backend via a crafted Host header.
In the piscina library, prior to versions 6.0.0-rc.2, 5.2.0, and 4.9.3, there was a vulnerability related to reading the filename option, which could lead to the execution of malicious code in worker threads.
Hono is a web application framework that prior to version 4.12.25 had a vulnerability in the CORS middleware. With 'credentials: true' and no explicit origin, the middleware reflected the request's origin, allowing any site to make credentialed cross-origin requests.
Vulnerability in Starlette framework from version 0.4.1 to 1.3.1 causes max_fields and max_part_size limits for request.form() to be enforced only for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can send a request body with an arbitrarily large number of fields or an arbitrarily large field, bypassing configured limits.
In the AIOHTTP library before version 3.14.1, payload resources are not properly closed when a client disconnects during a write operation. This can lead to temporary resource exhaustion, such as open file handles, until they are released by garbage collection.
In the AIOHTTP library before version 3.14.1, there is a vulnerability where host-only cookies saved with CookieJar.save() and later restored with CookieJar.load() lose their host-only status.
In the AIOHTTP library before version 3.14.1, a vulnerability was found where a compressed request body could be decompressed into memory in one chunk during cleanup. An attacker can send a specially crafted compressed payload that, after decompression, could lead to server overload (a zip bomb edge case).
In the AIOHTTP library before version 3.14.1, a vulnerability allows bypassing the max_line_size check in HTTP requests when using the optimized C parser. An attacker can send oversized lines, causing excessive memory consumption and potentially leading to a DoS attack.
In the AIOHTTP library before version 3.14.1, a vulnerability was found that allows bypassing the TLS SNI check for the server_hostname parameter when reusing an existing connection. If an application makes multiple requests to the same domain but with different server_hostname values, later calls may incorrectly reuse the previous connection instead of being rejected.
A vulnerability in AIOHTTP before version 3.14.1 allows an attacker to bypass memory limits by sending large incomplete WebSocket frame payloads. This can lead to excessive memory consumption and potential server resource exhaustion.
In the AIOHTTP library before version 3.14.1, there was no limit on the number of pipelined requests that could be queued. An attacker can exploit this to cause excessive memory usage, potentially leading to a DoS attack.
In protobufjs-cli, prior to versions 1.3.2 and 2.5.0, there was an incomplete fix for unsafe name handling in static code generation. Affected versions could emit unsafe JavaScript references when generating static output from crafted JSON descriptor input.
Vite is a frontend tooling framework for JavaScript that, prior to versions 8.0.16, 7.3.5, and 6.4.3, could return the contents of files specified by server.fs.deny to the browser on Windows. Issues with NTFS ADS path normalization allowed unauthorized access to sensitive files.
The vulnerability in Python-Multipart before version 0.0.30 causes quadratic computational complexity when parsing application/x-www-form-urlencoded bodies using semicolons as separators. An attacker can send a small crafted request with many semicolon-separated fields, leading to high CPU usage and potential resource exhaustion.
In the AIOHTTP library before version 3.14.0, a vulnerability allows HTTP header injection through attacker-controlled input included in multipart/payload headers. If an application passes user-controlled strings into `MultipartWriter.append(headers=...)` or `Payload.headers`, an attacker may modify the request to inject headers or change its contents.
A vulnerability was found in Angular's @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache does not inspect the withCredentials flag or Cookie header, causing credentialed user-specific responses to be cached in the shared TransferState. This can leak private data across users via caching layers like CDN or reverse proxy.
A vulnerability in the @angular/platform-server package allows attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This issue arises from a parser differential between the strict WHATWG URL parser and the lenient Domino parser, enabling an SSRF attack.
A vulnerability in protobufjs before versions 7.6.1 and 8.4.1 allows exhaustion of the JavaScript call stack when converting decoded protobuf messages to objects or JSON. The issue stems from the lack of a depth limit for recursion when processing nested Any values.
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion.
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to remote code execution and denial of service when using Intelligent Management with the WebSphere WebServer Plug-in component. An attacker can exploit this vulnerability by impersonating backend servers and sending crafted responses to the plug-in.

