Recent Advisories

Severity ID Title Vendor Product Date Type
HIGH 8.1 CVE-2026-55388

piscina: Prototype Pollution Gadget → RCE via inherited options.filename_CVE-2026-55388

piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run() paths read the filename opt...

piscinajs piscina < 4.9.3 CVE
HIGH 7.1 CVE-2026-54290

Hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard_CVE-2026-54290

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit orig...

honojs hono < 4.12.25 CVE
HIGH 7.5 CVE-2026-54283

Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS_CVE-2026-54283

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource co...

Kludex starlette >= 0.4.1, < 1.3.1 CVE
HIGH 8.2 CVE-2026-54271

protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names_CVE-2026-54271

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / stati...

protobufjs protobufjs-cli < 1.3.2 CVE
HIGH 8.2 CVE-2026-53571

Vite: `server.fs.deny` bypass on Windows alternate paths_CVE-2026-53571

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny ...

vitejs vite >= 8.0.0, < 8.0.16 CVE
HIGH 7.5 CVE-2026-53539

Python-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service_CVE-2026-53539

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringPar...

Kludex python-multipart < 0.0.30 CVE
HIGH 8.6 CVE-2026-50556

Angular: Missing `

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0...

angular angular >= 22.0.0-next.0, < 22.0.0-rc.2 CVE
HIGH 8.6 CVE-2026-50555

Angular: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) in @angular/platform-server_CVE-2026-50555

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0...

angular angular >= 22.0.0-next.0, < 22.0.0-rc.2 CVE
HIGH 8.2 CVE-2026-50171

Angular: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)_CVE-2026-50171

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0...

angular angular >= 22.0.0-next.0, < 22.0.0-rc.2 CVE
HIGH 8.2 CVE-2026-50170

Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache_CVE-2026-50170

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0...

angular angular >= 22.0.0-next.0, < 22.0.0-rc.2 CVE