Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 5.3 CVE-2026-54269

protobufjs: Schema-derived names can shadow runtime-significant properties_CVE-2026-54269

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names...

protobufjs protobuf.js < 7.6.3 CVE
MEDIUM 5.5 CVE-2026-53632

NTLMv2 hash disclosure via UNC path handling on Windows_CVE-2026-53632

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrar...

vitejs launch-editor < 2.14.1 CVE
HIGH 8.2 CVE-2026-53571

Vite: `server.fs.deny` bypass on Windows alternate paths_CVE-2026-53571

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny ...

vitejs vite >= 8.0.0, < 8.0.16 CVE
LOW 3.7 CVE-2026-53540

Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory_CVE-2026-53540

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using ...

Kludex python-multipart < 0.0.31 CVE
HIGH 7.5 CVE-2026-53539

Python-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service_CVE-2026-53539

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringPar...

Kludex python-multipart < 0.0.30 CVE
LOW 3.7 CVE-2026-53538

Python-Multipart: Semicolon treated as querystring field separator enables parameter smuggling_CVE-2026-53538

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www...

Kludex python-multipart < 0.0.30 CVE
LOW 3.7 CVE-2026-53537

Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters_CVE-2026-53537

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) he...

Kludex python-multipart < 0.0.30 CVE
HIGH 8.6 CVE-2026-50556

Angular: Missing `

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0...

angular angular >= 22.0.0-next.0, < 22.0.0-rc.2 CVE
HIGH 8.6 CVE-2026-50555

Angular: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) in @angular/platform-server_CVE-2026-50555

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0...

angular angular >= 22.0.0-next.0, < 22.0.0-rc.2 CVE
LOW 2.7 CVE-2026-50269

AIOHTTP: CRLF injection in multipart headers_CVE-2026-50269

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/...

aio-libs aiohttp < 3.14.0 CVE