CWE-436
Interpretation Conflict
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
CVE-2026-42272 (GCVE-0-2026-42272)
Vulnerability from cvelistv5 – Published: 2026-05-08 03:40 – Updated: 2026-05-08 23:12| URL | Tags |
|---|---|
| https://github.com/dadrus/heimdall/security/advis… | x_refsource_CONFIRM |
| https://github.com/dadrus/heimdall/pull/3207 | x_refsource_MISC |
| https://github.com/dadrus/heimdall/commit/8b0de6a… | x_refsource_MISC |
| https://github.com/dadrus/heimdall/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T23:12:19.653095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T23:12:35.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "heimdall",
"vendor": "dadrus",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178: Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:40:17.541Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dadrus/heimdall/security/advisories/GHSA-43jv-5j4x-qv67",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dadrus/heimdall/security/advisories/GHSA-43jv-5j4x-qv67"
},
{
"name": "https://github.com/dadrus/heimdall/pull/3207",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dadrus/heimdall/pull/3207"
},
{
"name": "https://github.com/dadrus/heimdall/commit/8b0de6aba23a047cfee3081df878271bb17f4351",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dadrus/heimdall/commit/8b0de6aba23a047cfee3081df878271bb17f4351"
},
{
"name": "https://github.com/dadrus/heimdall/releases/tag/v0.17.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dadrus/heimdall/releases/tag/v0.17.14"
}
],
"source": {
"advisory": "GHSA-43jv-5j4x-qv67",
"discovery": "UNKNOWN"
},
"title": "Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42272",
"datePublished": "2026-05-08T03:40:17.541Z",
"dateReserved": "2026-04-26T11:53:27.707Z",
"dateUpdated": "2026-05-08T23:12:35.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42273 (GCVE-0-2026-42273)
Vulnerability from cvelistv5 – Published: 2026-05-08 03:42 – Updated: 2026-05-08 10:40| URL | Tags |
|---|---|
| https://github.com/dadrus/heimdall/security/advis… | x_refsource_CONFIRM |
| https://github.com/dadrus/heimdall/pull/3208 | x_refsource_MISC |
| https://github.com/dadrus/heimdall/commit/3d05e56… | x_refsource_MISC |
| https://github.com/dadrus/heimdall/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42273",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T10:40:38.505776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T10:40:56.541Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "heimdall",
"vendor": "dadrus",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178: Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:42:50.312Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dadrus/heimdall/security/advisories/GHSA-72h4-mxfc-jx37",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dadrus/heimdall/security/advisories/GHSA-72h4-mxfc-jx37"
},
{
"name": "https://github.com/dadrus/heimdall/pull/3208",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dadrus/heimdall/pull/3208"
},
{
"name": "https://github.com/dadrus/heimdall/commit/3d05e56a9e7ef0355f17482b4322054af4e85943",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dadrus/heimdall/commit/3d05e56a9e7ef0355f17482b4322054af4e85943"
},
{
"name": "https://github.com/dadrus/heimdall/releases/tag/v0.17.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dadrus/heimdall/releases/tag/v0.17.14"
}
],
"source": {
"advisory": "GHSA-72h4-mxfc-jx37",
"discovery": "UNKNOWN"
},
"title": "Heimdall: Case-sensitive host matching may lead to policy bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42273",
"datePublished": "2026-05-08T03:42:50.312Z",
"dateReserved": "2026-04-26T11:53:27.707Z",
"dateUpdated": "2026-05-08T10:40:56.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42274 (GCVE-0-2026-42274)
Vulnerability from cvelistv5 – Published: 2026-05-08 03:43 – Updated: 2026-05-11 18:20| URL | Tags |
|---|---|
| https://github.com/dadrus/heimdall/security/advis… | x_refsource_CONFIRM |
| https://github.com/dadrus/heimdall/pull/3209 | x_refsource_MISC |
| https://github.com/dadrus/heimdall/commit/b5dfa48… | x_refsource_MISC |
| https://github.com/dadrus/heimdall/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42274",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:19:37.764124Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:20:15.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "heimdall",
"vendor": "dadrus",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-35",
"description": "CWE-35: Path Traversal: \u0027.../...//\u0027",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:43:41.597Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dadrus/heimdall/security/advisories/GHSA-3q34-rx83-r6mq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dadrus/heimdall/security/advisories/GHSA-3q34-rx83-r6mq"
},
{
"name": "https://github.com/dadrus/heimdall/pull/3209",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dadrus/heimdall/pull/3209"
},
{
"name": "https://github.com/dadrus/heimdall/commit/b5dfa484b7a8c2ce6d8691c026f9da867719947a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dadrus/heimdall/commit/b5dfa484b7a8c2ce6d8691c026f9da867719947a"
},
{
"name": "https://github.com/dadrus/heimdall/releases/tag/v0.17.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dadrus/heimdall/releases/tag/v0.17.14"
}
],
"source": {
"advisory": "GHSA-3q34-rx83-r6mq",
"discovery": "UNKNOWN"
},
"title": "Heimdall: Authorization bypass via path normalization mismatch"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42274",
"datePublished": "2026-05-08T03:43:41.597Z",
"dateReserved": "2026-04-26T11:53:27.707Z",
"dateUpdated": "2026-05-11T18:20:15.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42462 (GCVE-0-2026-42462)
Vulnerability from cvelistv5 – Published: 2026-06-10 20:22 – Updated: 2026-06-11 13:34| URL | Tags |
|---|---|
| https://github.com/fedify-dev/fedify/security/adv… | x_refsource_CONFIRM |
| https://github.com/fedify-dev/fedify/releases/tag/2.2.3 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| fedify-dev | fedify |
Affected:
>= 2.2.0, < 2.2.3
Affected: >= 2.1.0, < 2.1.14 Affected: >= 2.0.0, < 2.0.18 Affected: >= 1.10.0, < 1.10.10 Affected: < 1.9.11 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T13:31:40.827057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T13:34:03.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fedify",
"vendor": "fedify-dev",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2.0, \u003c 2.2.3"
},
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.1.14"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.0.18"
},
{
"status": "affected",
"version": "\u003e= 1.10.0, \u003c 1.10.10"
},
{
"status": "affected",
"version": "\u003c 1.9.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "CWE-180: Incorrect Behavior Order: Validate Before Canonicalize",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T20:22:35.383Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-9rfg-v8g9-9367",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-9rfg-v8g9-9367"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/2.2.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/2.2.3"
}
],
"source": {
"advisory": "GHSA-9rfg-v8g9-9367",
"discovery": "UNKNOWN"
},
"title": "Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42462",
"datePublished": "2026-06-10T20:22:35.383Z",
"dateReserved": "2026-04-27T13:55:58.694Z",
"dateUpdated": "2026-06-11T13:34:03.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42551 (GCVE-0-2026-42551)
Vulnerability from cvelistv5 – Published: 2026-05-13 19:23 – Updated: 2026-05-14 12:49- CWE-436 - Interpretation Conflict
| URL | Tags |
|---|---|
| https://github.com/flightphp/core/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42551",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:49:44.246541Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:49:48.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "flightphp",
"versions": [
{
"status": "affected",
"version": "\u003c 3.18.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST[\u0027_method\u0027] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target methods. A GET request can silently become a DELETE or PUT, enabling CSRF escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between CDN and origin. This vulnerability is fixed in 3.18.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T19:23:27.314Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g"
}
],
"source": {
"advisory": "GHSA-vxrr-w42w-w76g",
"discovery": "UNKNOWN"
},
"title": "Flight: HTTP method override enabled by default enables CSRF escalation and middleware bypass in flightphp/core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42551",
"datePublished": "2026-05-13T19:23:27.314Z",
"dateReserved": "2026-04-28T16:56:50.191Z",
"dateUpdated": "2026-05-14T12:49:48.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44576 (GCVE-0-2026-44576)
Vulnerability from cvelistv5 – Published: 2026-05-13 16:57 – Updated: 2026-05-18 13:45- CWE-436 - Interpretation Conflict
| URL | Tags |
|---|---|
| https://github.com/vercel/next.js/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44576",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T13:45:23.886970Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T13:45:59.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "next.js",
"vendor": "vercel",
"versions": [
{
"status": "affected",
"version": "\u003e= 14.2.0, \u003c 15.5.16"
},
{
"status": "affected",
"version": "\u003e= 16.0.0, \u003c 16.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T16:57:43.016Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7"
}
],
"source": {
"advisory": "GHSA-wfc6-r584-vfw7",
"discovery": "UNKNOWN"
},
"title": "Next.js: Cache poisoning in React Server Component responses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44576",
"datePublished": "2026-05-13T16:57:10.923Z",
"dateReserved": "2026-05-06T21:49:12.424Z",
"dateUpdated": "2026-05-18T13:45:59.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47076 (GCVE-0-2026-47076)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-27 15:41| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47076.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47076 | related |
| https://github.com/benoitc/hackney/commit/452620a… | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47076",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:46:49.956392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:46:52.424Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-pj7v-xfvx-wmjq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_url"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_url.erl"
],
"programRoutines": [
{
"name": "hackney_url:normalize/2"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "0.13.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_url"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_url.erl"
],
"programRoutines": [
{
"name": "hackney_url:normalize/2"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "452620a92ec1da2e6b4862a049a2a4f04b42068f",
"status": "affected",
"version": "4d725507588942fd00efca15b86da3273656510a",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "0.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ganbagana"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery.\u003cp\u003e\u003ctt\u003ehackney_url:normalize/2\u003c/tt\u003e URL-decodes the host component after the URL has been parsed into a \u003ctt\u003e#hackney_url{}\u003c/tt\u003e record. OTP\u0027s \u003ctt\u003euri_string:parse/1\u003c/tt\u003e and \u003ctt\u003einet:parse_address/1\u003c/tt\u003e do not decode percent-escapes in the host, so a URL such as \u003ctt\u003ehttp://%31%32%37%2E%30%2E%30%2E%31/\u003c/tt\u003e is seen by a caller\u0027s allowlist validator with host \u003ctt\u003e%31%32%37%2E%30%2E%30%2E%31\u003c/tt\u003e (not an IP address), which passes the allowlist check. hackney\u0027s normalizer then decodes the host to \u003ctt\u003e127.0.0.1\u003c/tt\u003e and opens a TCP connection to loopback. Because \u003ctt\u003ehackney:request/5\u003c/tt\u003e always calls \u003ctt\u003ehackney_url:normalize/2\u003c/tt\u003e with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 0.13.0 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP\u0027s uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller\u0027s allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney\u0027s normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost.\n\nThis issue affects hackney: from 0.13.0 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436 Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:41:17.845Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-pj7v-xfvx-wmjq"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47076.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47076"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/452620a92ec1da2e6b4862a049a2a4f04b42068f"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SSRF allowlist bypass via percent-encoded host in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47076",
"datePublished": "2026-05-25T14:00:46.707Z",
"dateReserved": "2026-05-18T17:28:10.319Z",
"dateUpdated": "2026-05-27T15:41:17.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47344 (GCVE-0-2026-47344)
Vulnerability from cvelistv5 – Published: 2026-06-08 19:03 – Updated: 2026-06-08 19:50| URL | Tags |
|---|---|
| https://typo3.org/security/advisory/typo3-core-sa… | vendor-advisory |
| https://github.com/TYPO3/html-sanitizer/commit/bd… | patch |
| Vendor | Product | Version | |
|---|---|---|---|
| TYPO3 | HTML Sanitizer |
Affected:
0 , < 2.3.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47344",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T19:50:27.408977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T19:50:47.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://packagist.org",
"defaultStatus": "unaffected",
"packageName": "typo3/html-sanitizer",
"product": "HTML Sanitizer",
"repo": "https://github.com/TYPO3/html-sanitizer",
"vendor": "TYPO3",
"versions": [
{
"lessThan": "2.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:typo3:html_sanitizer:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "IPC Labs"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Oliver Hader"
}
],
"datePublic": "2026-06-08T20:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When \u003ccode\u003eALLOW_INSECURE_RAW_TEXT\u003c/code\u003e is enabled, whitespace-variant closing tags (e.g., \u003ccode\u003e\u0026lt;/style\\t\u0026gt;\u003c/code\u003e) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of \u003ccode\u003etypo3/html-sanitizer\u003c/code\u003e before version 2.3.2."
}
],
"value": "When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., \u003c/style\\t\u003e) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436 Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T19:03:19.826Z",
"orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"shortName": "TYPO3"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://typo3.org/security/advisory/typo3-core-sa-2026-006"
},
{
"tags": [
"patch"
],
"url": "https://github.com/TYPO3/html-sanitizer/commit/bd1a88d9b5a5f67f1120ec41084e9c1a0675641c"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TYPO3 HTML Sanitizer allows Cross-Site Scripting",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
"assignerShortName": "TYPO3",
"cveId": "CVE-2026-47344",
"datePublished": "2026-06-08T19:03:19.826Z",
"dateReserved": "2026-05-19T12:49:25.966Z",
"dateUpdated": "2026-06-08T19:50:47.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48788 (GCVE-0-2026-48788)
Vulnerability from cvelistv5 – Published: 2026-06-16 22:29 – Updated: 2026-06-17 13:20| URL | Tags |
|---|---|
| https://github.com/umputun/remark42/security/advi… | x_refsource_CONFIRM |
| https://github.com/umputun/remark42/commit/78d6de… | x_refsource_MISC |
| https://github.com/umputun/remark42/releases/tag/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48788",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T13:19:50.596883Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T13:20:11.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "remark42",
"vendor": "umputun",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.6.0, \u003c 1.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42\u0027s own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42\u0027s origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T22:29:38.877Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp"
},
{
"name": "https://github.com/umputun/remark42/commit/78d6de6bce1e961f023969da3ec8a00dd80c9ae8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/umputun/remark42/commit/78d6de6bce1e961f023969da3ec8a00dd80c9ae8"
},
{
"name": "https://github.com/umputun/remark42/releases/tag/v1.16.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/umputun/remark42/releases/tag/v1.16.0"
}
],
"source": {
"advisory": "GHSA-4c8j-mgm4-qqvp",
"discovery": "UNKNOWN"
},
"title": "Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48788",
"datePublished": "2026-06-16T22:29:38.877Z",
"dateReserved": "2026-05-22T20:18:20.365Z",
"dateUpdated": "2026-06-17T13:20:11.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53537 (GCVE-0-2026-53537)
Vulnerability from cvelistv5 – Published: 2026-06-22 16:57 – Updated: 2026-06-23 16:08| URL | Tags |
|---|---|
| https://github.com/Kludex/python-multipart/securi… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Kludex | python-multipart |
Affected:
< 0.0.30
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T16:03:15.384645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:08:07.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "python-multipart",
"vendor": "Kludex",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.30"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset\u0027lang\u0027value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 \u00a74.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:57:21.496Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-vffw-93wf-4j4q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-vffw-93wf-4j4q"
}
],
"source": {
"advisory": "GHSA-vffw-93wf-4j4q",
"discovery": "UNKNOWN"
},
"title": "Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53537",
"datePublished": "2026-06-22T16:57:21.496Z",
"dateReserved": "2026-06-09T18:13:07.262Z",
"dateUpdated": "2026-06-23T16:08:07.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-105: HTTP Request Splitting
['An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).', 'See CanPrecede relationships for possible consequences.']
CAPEC-273: HTTP Response Smuggling
['An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).', 'See CanPrecede relationships for possible consequences.']
CAPEC-34: HTTP Response Splitting
['An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.', 'See CanPrecede relationships for possible consequences.']