CVE - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 4.8	CVE-2026-54289	Hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest_CVE-2026-54289 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a r...	honojs	hono < 4.12.25	Jun 22, 2026	CVE
MEDIUM 5.3	CVE-2026-54287	Hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice_CVE-2026-54287 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header respon...	honojs	hono < 4.12.25	Jun 22, 2026	CVE
MEDIUM 5.9	CVE-2026-54286	Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)_CVE-2026-54286 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C...	honojs	hono < 4.12.25	Jun 22, 2026	CVE
MEDIUM 5.3	CVE-2026-54285	opentelemetry-js: Unbounded memory allocation in W3C Baggage propagation_CVE-2026-54285 opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract() in @opentelemetry/core does not enforce siz...	open-telemetry	opentelemetry-js < 2.8.0	Jun 22, 2026	CVE
HIGH 7.5	CVE-2026-54283	Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS_CVE-2026-54283 Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource co...	Kludex	starlette >= 0.4.1, < 1.3.1	Jun 22, 2026	CVE
LOW 3.7	CVE-2026-54282	Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname_CVE-2026-54282 Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request....	Kludex	starlette < 1.3.0	Jun 22, 2026	CVE
LOW 1.7	CVE-2026-54280	AIOHTTP: Payload Response Resources Are Not Closed After Mid-Body Disconnect_CVE-2026-54280 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a ...	aio-libs	aiohttp < 3.14.1	Jun 22, 2026	CVE
LOW 1.3	CVE-2026-54279	AIOHTTP: Host-Only Cookies Become Domain Cookies After CookieJar Persistence_CVE-2026-54279 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.sa...	aio-libs	aiohttp < 3.14.1	Jun 22, 2026	CVE
MEDIUM 6.6	CVE-2026-54278	AIOHTTP: Unread Compressed Request Bodies Bypass client_max_size During Cleanup_CVE-2026-54278 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed req...	aio-libs	aiohttp < 3.14.1	Jun 22, 2026	CVE
MEDIUM 6.6	CVE-2026-54277	AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines_CVE-2026-54277 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check i...	aio-libs	aiohttp < 3.14.1	Jun 22, 2026	CVE