Subscriber Broken Access Control in Bookify <= 1.1.1 versions.
Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions.
Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.
Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.
Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.
Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.
Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.
markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and c...
Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS
OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
Nest: Middleware Bypass on Fastify via Trailing Slash
python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service
python-multipart: Negative Content-Length in parse_form buffers the entire body in memory
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling
python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient
tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)
Rejected reason: ]** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-49489. Reason: This candidate is a duplicate of CVE-2026-49489. Notes: All CVE users should reference CVE-2026-49489 instead of this candidate.