Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.
Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.
Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.
Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.
markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS
OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
Nest: Middleware Bypass on Fastify via Trailing Slash
python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service
python-multipart: Negative Content-Length in parse_form buffers the entire body in memory
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling
python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient
tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)
Rejected reason: ]** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-49489. Reason: This candidate is a duplicate of CVE-2026-49489. Notes: All CVE users should reference CVE-2026-49489 instead of this candidate.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-12075. Reason: This candidate is a duplicate of CVE-2026-12075. Notes: All CVE users should reference CVE-2026-12075 instead of this candidate.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-12061. Reason: This candidate is a duplicate of CVE-2026-12061. Notes: All CVE users should reference CVE-2026-12061 instead of this candidate.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-12072. Reason: This candidate is a duplicate of CVE-2026-12072. Notes: All CVE users should reference CVE-2026-12072 instead of this candidate.