| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-54271 | hig | 0.38 | — | 0.00 | Jun 15, 2026 | ## Summary A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common… | ||
| CVE-2026-54270 | 0.00 | — | 0.00 | Jun 15, 2026 | ## Summary protobufjs 8.2.0 added support for preserving unknown fields encountered during binary decode. Affected versions preserved unknown wire elements in `message.$unknowns` and did not provide a decode-time option to discard unknown fields before retaining them. A… | |||
| CVE-2026-54274 | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. ### Impact If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive… | |||
| CVE-2026-54275 | low | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused. ### Impact If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by… | ||
| CVE-2026-54280 | low | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary Payload resources are not closed correctly when a client disconnects in the middle of a write. ### Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection… | ||
| CVE-2026-54273 | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary No limit was present on the number of pipelined requests that could be queued. ### Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dfd… | |||
| CVE-2026-54278 | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. ### Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a… | |||
| CVE-2026-54277 | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. ### Impact If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an… | |||
| CVE-2026-54276 | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary ``DigestAuthMiddleware`` can send an authentication response after following a cross-origin redirect. ### Impact If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest. This… | |||
| CVE-2026-54279 | low | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been… | ||
| CVE-2026-50269 | low | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. ### Impact In the unlikely situation that an application is passing user-controlled strings into… | ||
| CVE-2026-53663 | low | 0.00 | — | 0.00 | Jun 15, 2026 | Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the… | ||
| CVE-2026-53633 | cri | 0.52 | — | 0.01 | Jun 15, 2026 | ## Summary Vitest Browser Mode exposes a `cdp()` API that forwards raw Chrome DevTools Protocol (CDP) methods over the Vitest browser WebSocket RPC. CDP is not gated by `browser.api.allowWrite`, `browser.api.allowExec`, `api.allowWrite`, or `api.allowExec`. As a result,… | ||
| CVE-2026-49978 | 0.00 | — | 0.00 | Jun 15, 2026 | If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript:… | |||
| CVE-2026-49458 | 0.00 | — | 0.00 | Jun 15, 2026 | # Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — realm-bound `instanceof` checks fail-open… | |||
| CVE-2026-49459 | 0.00 | — | 0.00 | Jun 15, 2026 | # IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when `_forceRemove`… | |||
| CVE-2026-8358 | Med | 0.35 | — | 0.00 | Jun 15, 2026 | LibreOffice Calc can import tracked changes from a spreadsheet document. A heap buffer overflow existed when a document reused the same change identifier for two different kinds of change. The importer then treated one change object as a different, larger type and wrote past the… | ||
| CVE-2026-8357 | Med | 0.35 | — | 0.00 | Jun 15, 2026 | LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula… | ||
| CVE-2026-8356 | Med | 0.35 | — | 0.00 | Jun 15, 2026 | LibreOffice can import presentations in the legacy binary PPT format. A stack buffer overflow existed when importing a colour-replacement record. Two fixed-size colour tables were filled from the file, but the write position was not reset between the two passes over the record,… | ||
| CVE-2026-6047 | Med | 0.35 | — | 0.00 | Jun 15, 2026 | LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object,… | ||
| CVE-2026-6045 | Med | 0.35 | — | 0.00 | Jun 15, 2026 | LibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could… | ||
| CVE-2026-6040 | Med | 0.35 | — | 0.00 | Jun 15, 2026 | A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that… | ||
| CVE-2026-6039 | Med | 0.35 | — | 0.00 | Jun 15, 2026 | LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so… | ||
| CVE-2026-49294 | Med | 0.40 | 6.1 | 0.00 | Jun 15, 2026 | Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies… | ||
| CVE-2026-47777 | Hig | 0.42 | 7.5 | 0.00 | Jun 15, 2026 | Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could… | ||
| CVE-2026-20262 | Med | 0.54 | 6.5 | 0.08 | KEV | Jun 15, 2026 | A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does… | |
| CVE-2026-48712 | hig | 0.38 | — | 0.00 | Jun 15, 2026 | ## Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A crafted protobuf binary payload containing deeply… | ||
| CVE-2026-54269 | 0.00 | — | 0.00 | Jun 15, 2026 | ## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection… | |||
| CVE-2026-54264 | hig | 0.39 | — | 0.00 | Jun 15, 2026 | An information disclosure vulnerability exists in the `@angular/service-worker` package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker… | ||
| CVE-2026-54268 | hig | 0.39 | — | 0.00 | Jun 15, 2026 | A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of the Angular framework. The `formatDate` function, which is also utilized by the standard Angular `DatePipe`, does not properly limit or validate the length of the `format` parameter. When… | ||
| CVE-2026-54266 | hig | 0.39 | — | 0.00 | Jun 15, 2026 | Angular's `HttpTransferCache` caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in `TransferState` using a cache key… | ||
| CVE-2026-54265 | 0.00 | — | 0.00 | Jun 15, 2026 | An issue in the `@angular/compiler` package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as `innerHTML`, `srcdoc`, `src`, `href`, `data`, or `sandbox`) is bound… | |||
| CVE-2026-50557 | 0.00 | — | 0.00 | Jun 15, 2026 | An issue in the `@angular/compiler` and `@angular/core` packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds. Specifically, namespaced script elements (e.g., `<svg:script>` or `<:svg:script>`) were not properly… | |||
| CVE-2026-50556 | hig | 0.38 | — | 0.00 | Jun 15, 2026 | A Cross-Site Scripting (XSS) vulnerability exists in `@angular/platform-server`'s DOM emulation dependency (`domino`) when serializing the content of `` elements. When rendering dynamic text content inside a `` element via template bindings (such as `{{… | ||
| CVE-2026-50555 | hig | 0.38 | — | 0.00 | Jun 15, 2026 | A Cross-Site Scripting (XSS) vulnerability exists in `@angular/platform-server`'s DOM emulation dependency (`domino`) when serializing the content of raw-text elements (such as ``, ``, and ``). `domino` supports escaping raw-text elements during… | ||
| CVE-2026-53655 | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header… | |||
| CVE-2026-53632 | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary The `launch-editor` NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled… | |||
| CVE-2026-53571 | hig | 0.38 | — | 0.00 | Jun 15, 2026 | ### Summary The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite… | ||
| CVE-2026-53550 | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event… | |||
| CVE-2026-49356 | low | 0.00 | — | 0.00 | Jun 15, 2026 | ## Impact Using `@babel/core` to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are _all_ true: - the attacker controls the input source code - the attacker can read the output source code… | ||
| CVE-2026-50184 | 0.00 | — | 0.00 | Jun 15, 2026 | An issue in the `@angular/service-worker` package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new `Request` object using an internal… | |||
| CVE-2026-50171 | hig | 0.38 | — | 0.00 | Jun 15, 2026 | A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of Angular. The `formatNumber` function, which is also utilized by `DecimalPipe`, `PercentPipe`, and `CurrencyPipe`, does not properly validate the upper bounds of the `digitsInfo` parameter.… | ||
| CVE-2026-50170 | hig | 0.38 | — | 0.00 | Jun 15, 2026 | A vulnerability was discovered in `@angular/common` when Server-Side Rendering (SSR) and hydration are enabled. The `HttpTransferCache` utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side… | ||
| CVE-2026-52725 | 0.00 | — | 0.00 | Jun 15, 2026 | An issue in the `@angular/core` package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism (`createComponent`) failed to reject mounting components directly onto a `` or… | |||
| CVE-2026-50169 | 0.00 | — | 0.00 | Jun 15, 2026 | An issue in the `@angular/service-worker` package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new `Request` object using an internal… | |||
| CVE-2026-50168 | hig | 0.38 | — | 0.00 | Jun 15, 2026 | An issue in the `@angular/platform-server` package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for… | ||
| CVE-2026-48779 | hig | 0.39 | — | 0.01 | Jun 15, 2026 | ### Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit,… | ||
| CVE-2026-9863 | Hig | 0.49 | 7.5 | 0.01 | Jun 15, 2026 | Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be… | ||
| CVE-2026-9862 | Cri | 0.64 | 9.8 | 0.01 | Jun 15, 2026 | Fortra's Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the… | ||
| CVE-2026-9595 | Med | 0.27 | 5.3 | 0.00 | Jun 15, 2026 | Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev… |
- risk 0.38cvss —epss 0.00
## Summary A previous fix for unsafe name handling in `pbjs` static / static-module code generation was incomplete. Affected versions of `protobufjs-cli` could still emit unsafe JavaScript references when generating static output from crafted JSON descriptor input. The common…
- CVE-2026-54270Jun 15, 2026risk 0.00cvss —epss 0.00
## Summary protobufjs 8.2.0 added support for preserving unknown fields encountered during binary decode. Affected versions preserved unknown wire elements in `message.$unknowns` and did not provide a decode-time option to discard unknown fields before retaining them. A…
- CVE-2026-54274Jun 15, 2026risk 0.00cvss —epss 0.00
### Summary If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. ### Impact If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive…
- risk 0.00cvss —epss 0.00
### Summary The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused. ### Impact If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by…
- risk 0.00cvss —epss 0.00
### Summary Payload resources are not closed correctly when a client disconnects in the middle of a write. ### Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection…
- CVE-2026-54273Jun 15, 2026risk 0.00cvss —epss 0.00
### Summary No limit was present on the number of pipelined requests that could be queued. ### Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dfd…
- CVE-2026-54278Jun 15, 2026risk 0.00cvss —epss 0.00
### Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. ### Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a…
- CVE-2026-54277Jun 15, 2026risk 0.00cvss —epss 0.00
### Summary It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. ### Impact If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an…
- CVE-2026-54276Jun 15, 2026risk 0.00cvss —epss 0.00
### Summary ``DigestAuthMiddleware`` can send an authentication response after following a cross-origin redirect. ### Impact If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest. This…
- risk 0.00cvss —epss 0.00
### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been…
- risk 0.00cvss —epss 0.00
### Summary Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. ### Impact In the unlikely situation that an application is passing user-controlled strings into…
- risk 0.00cvss —epss 0.00
Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the…
- risk 0.52cvss —epss 0.01
## Summary Vitest Browser Mode exposes a `cdp()` API that forwards raw Chrome DevTools Protocol (CDP) methods over the Vitest browser WebSocket RPC. CDP is not gated by `browser.api.allowWrite`, `browser.api.allowExec`, `api.allowWrite`, or `api.allowExec`. As a result,…
- CVE-2026-49978Jun 15, 2026risk 0.00cvss —epss 0.00
If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript:…
- CVE-2026-49458Jun 15, 2026risk 0.00cvss —epss 0.00
# Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — realm-bound `instanceof` checks fail-open…
- CVE-2026-49459Jun 15, 2026risk 0.00cvss —epss 0.00
# IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when `_forceRemove`…
- risk 0.35cvss —epss 0.00
LibreOffice Calc can import tracked changes from a spreadsheet document. A heap buffer overflow existed when a document reused the same change identifier for two different kinds of change. The importer then treated one change object as a different, larger type and wrote past the…
- risk 0.35cvss —epss 0.00
LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made up of many opening tokens. The array that tracks nesting depth was allocated one element too small for that worst case, so such a formula…
- risk 0.35cvss —epss 0.00
LibreOffice can import presentations in the legacy binary PPT format. A stack buffer overflow existed when importing a colour-replacement record. Two fixed-size colour tables were filled from the file, but the write position was not reset between the two passes over the record,…
- risk 0.35cvss —epss 0.00
LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object,…
- risk 0.35cvss —epss 0.00
LibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could…
- risk 0.35cvss —epss 0.00
A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that…
- risk 0.35cvss —epss 0.00
LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so…
- risk 0.40cvss 6.1epss 0.00
Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies…
- risk 0.42cvss 7.5epss 0.00
Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could…
- risk 0.54cvss 6.5epss 0.08
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does…
- risk 0.38cvss —epss 0.00
## Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path. A crafted protobuf binary payload containing deeply…
- CVE-2026-54269Jun 15, 2026risk 0.00cvss —epss 0.00
## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection…
- risk 0.39cvss —epss 0.00
An information disclosure vulnerability exists in the `@angular/service-worker` package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker…
- risk 0.39cvss —epss 0.00
A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of the Angular framework. The `formatDate` function, which is also utilized by the standard Angular `DatePipe`, does not properly limit or validate the length of the `format` parameter. When…
- risk 0.39cvss —epss 0.00
Angular's `HttpTransferCache` caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in `TransferState` using a cache key…
- CVE-2026-54265Jun 15, 2026risk 0.00cvss —epss 0.00
An issue in the `@angular/compiler` package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as `innerHTML`, `srcdoc`, `src`, `href`, `data`, or `sandbox`) is bound…
- CVE-2026-50557Jun 15, 2026risk 0.00cvss —epss 0.00
An issue in the `@angular/compiler` and `@angular/core` packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds. Specifically, namespaced script elements (e.g., `<svg:script>` or `<:svg:script>`) were not properly…
- risk 0.38cvss —epss 0.00
A Cross-Site Scripting (XSS) vulnerability exists in `@angular/platform-server`'s DOM emulation dependency (`domino`) when serializing the content of `` elements. When rendering dynamic text content inside a `` element via template bindings (such as `{{…
- risk 0.38cvss —epss 0.00
A Cross-Site Scripting (XSS) vulnerability exists in `@angular/platform-server`'s DOM emulation dependency (`domino`) when serializing the content of raw-text elements (such as ``, ``, and ``). `domino` supports escaping raw-text elements during…
- CVE-2026-53655Jun 15, 2026risk 0.00cvss —epss 0.00
### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header…
- CVE-2026-53632Jun 15, 2026risk 0.00cvss —epss 0.00
### Summary The `launch-editor` NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled…
- risk 0.38cvss —epss 0.00
### Summary The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite…
- CVE-2026-53550Jun 15, 2026risk 0.00cvss —epss 0.00
### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event…
- risk 0.00cvss —epss 0.00
## Impact Using `@babel/core` to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are _all_ true: - the attacker controls the input source code - the attacker can read the output source code…
- CVE-2026-50184Jun 15, 2026risk 0.00cvss —epss 0.00
An issue in the `@angular/service-worker` package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new `Request` object using an internal…
- risk 0.38cvss —epss 0.00
A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of Angular. The `formatNumber` function, which is also utilized by `DecimalPipe`, `PercentPipe`, and `CurrencyPipe`, does not properly validate the upper bounds of the `digitsInfo` parameter.…
- risk 0.38cvss —epss 0.00
A vulnerability was discovered in `@angular/common` when Server-Side Rendering (SSR) and hydration are enabled. The `HttpTransferCache` utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side…
- CVE-2026-52725Jun 15, 2026risk 0.00cvss —epss 0.00
An issue in the `@angular/core` package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism (`createComponent`) failed to reject mounting components directly onto a `` or…
- CVE-2026-50169Jun 15, 2026risk 0.00cvss —epss 0.00
An issue in the `@angular/service-worker` package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new `Request` object using an internal…
- risk 0.38cvss —epss 0.00
An issue in the `@angular/platform-server` package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for…
- risk 0.39cvss —epss 0.01
### Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit,…
- risk 0.49cvss 7.5epss 0.01
Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be…
- risk 0.64cvss 9.8epss 0.01
Fortra's Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the…
- risk 0.27cvss 5.3epss 0.00
Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev…