CVE-2026-53538 - Python-Multipart: Semicolon treated as querystring field separator enables parameter smuggling
CVE ID :CVE-2026-53538
Published : June 22, 2026, 4:56 p.m. | 1 hour, 33 minutes ago
Description :Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse (since the CVE-2021-23336 fix) treat only & as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component. This vulnerability is fixed in 0.0.30.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-53538
Published : June 22, 2026, 4:56 p.m. | 1 hour, 33 minutes ago
Description :Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse (since the CVE-2021-23336 fix) treat only & as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component. This vulnerability is fixed in 0.0.30.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-53537 - Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
CVE ID :CVE-2026-53537
Published : June 22, 2026, 4:57 p.m. | 1 hour, 33 minutes ago
Description :Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-53537
Published : June 22, 2026, 4:57 p.m. | 1 hour, 33 minutes ago
Description :Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-53540 - Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory
CVE ID :CVE-2026-53540
Published : June 22, 2026, 4:58 p.m. | 1 hour, 31 minutes ago
Description :Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-53540
Published : June 22, 2026, 4:58 p.m. | 1 hour, 31 minutes ago
Description :Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-54287 - Hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
CVE ID :CVE-2026-54287
Published : June 22, 2026, 5:13 p.m. | 1 hour, 17 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes (for example Expires dates), clients cannot split the value back into individual cookies and silently drop or misparse them. This vulnerability is fixed in 4.12.25.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54287
Published : June 22, 2026, 5:13 p.m. | 1 hour, 17 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes (for example Expires dates), clients cannot split the value back into individual cookies and silently drop or misparse them. This vulnerability is fixed in 4.12.25.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-54286 - Hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
CVE ID :CVE-2026-54286
Published : June 22, 2026, 5:14 p.m. | 1 hour, 15 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54286
Published : June 22, 2026, 5:14 p.m. | 1 hour, 15 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash (%5C) in the request path decodes to \, which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static files meant to be protected behind prefix-mounted middleware. This vulnerability is fixed in 4.12.25.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-10789 - MCP Extension Code Injection Vulnerability in Autodesk Fusion Desktop
CVE ID :CVE-2026-10789
Published : June 22, 2026, 5:15 p.m. | 1 hour, 14 minutes ago
Description :A maliciously crafted webpage, when visited by a user with Autodesk Fusion Desktop running and the MCP extension enabled, can trigger a vulnerability in the MCP extension that could allow arbitrary code execution. A successful exploit may allow code to execute with the privileges of the current user.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-10789
Published : June 22, 2026, 5:15 p.m. | 1 hour, 14 minutes ago
Description :A maliciously crafted webpage, when visited by a user with Autodesk Fusion Desktop running and the MCP extension enabled, can trigger a vulnerability in the MCP extension that could allow arbitrary code execution. A successful exploit may allow code to execute with the privileges of the current user.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-54290 - Hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard
CVE ID :CVE-2026-54290
Published : June 22, 2026, 5:15 p.m. | 1 hour, 14 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins. This vulnerability is fixed in 4.12.25.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54290
Published : June 22, 2026, 5:15 p.m. | 1 hour, 14 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin (the default wildcard), the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints to arbitrary origins. This vulnerability is fixed in 4.12.25.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-54289 - Hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
CVE ID :CVE-2026-54289
Published : June 22, 2026, 5:16 p.m. | 1 hour, 13 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value. Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This vulnerability is fixed in 4.12.25.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54289
Published : June 22, 2026, 5:16 p.m. | 1 hour, 13 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated request headers such as X-Forwarded-For, Forwarded, and Via are silently truncated to a single value. Request middleware sees only the last value of a repeated header instead of the full chain. For applications that base access control on the X-Forwarded-For chain, this can weaken or alter that decision; for auditing, hop history is lost. This vulnerability is fixed in 4.12.25.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56323 - Capgo - Unauthenticated Channel Enumeration and App Oracle via GET /channel_self
CVE ID :CVE-2026-56323
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels, enumerate valid applications across tenants, and leak billing status without authentication or device binding.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-56323
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels, enumerate valid applications across tenants, and leak billing status without authentication or device binding.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56324 - Capgo - Rate Limit Bypass via User-Controlled device_id Parameter
CVE ID :CVE-2026-56324
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :Capgo before 12.128.2 contains a rate limit bypass vulnerability in the channel_self endpoint that allows attackers to circumvent rate limiting by rotating the user-controlled device_id parameter. Attackers can send multiple requests per second by changing device_id values to flood the channel_devices table and cause database exhaustion.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-56324
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :Capgo before 12.128.2 contains a rate limit bypass vulnerability in the channel_self endpoint that allows attackers to circumvent rate limiting by rotating the user-controlled device_id parameter. Attackers can send multiple requests per second by changing device_id values to flood the channel_devices table and cause database exhaustion.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56326 - Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo
CVE ID :CVE-2026-56326
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com. Attackers can bypass external-host checks using path-normalization techniques to redirect users to attacker-controlled sites via the Location header or meta-refresh, enabling phishing and OAuth authorization-code theft.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-56326
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com. Attackers can bypass external-host checks using path-normalization techniques to redirect users to attacker-controlled sites via the Location header or meta-refresh, enabling phishing and OAuth authorization-code theft.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56348 - n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint
CVE ID :CVE-2026-56348
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue HTTP requests with credentials to unauthorized hosts, exfiltrating sensitive authentication data.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-56348
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue HTTP requests with credentials to unauthorized hosts, exfiltrating sensitive authentication data.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56357 - n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger
CVE ID :CVE-2026-56357
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-56357
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56697 - Nuxt - Open Redirect via Protocol-Relative Paths in reloadNuxtApp
CVE ID :CVE-2026-56697
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-56697
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56698 - Nuxt - Cross-Site Scripting via navigateTo open Option
CVE ID :CVE-2026-56698
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when user-controlled input is passed to navigateTo.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-56698
Published : June 22, 2026, 9:04 p.m. | 1 hour, 26 minutes ago
Description :Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when user-controlled input is passed to navigateTo.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48516 - MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings
CVE ID :CVE-2026-48516
Published : June 22, 2026, 9:09 p.m. | 1 hour, 21 minutes ago
Description :MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter constructs an internal Dictionary> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer(). This formatter omission allows hash-collision CPU denial of service against ILookup even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-48516
Published : June 22, 2026, 9:09 p.m. | 1 hour, 21 minutes ago
Description :MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter constructs an internal Dictionary> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer(). This formatter omission allows hash-collision CPU denial of service against ILookup even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48515 - MessagePack-CSharp: Multi-dimensional array formatters allocate from unchecked dimensions
CVE ID :CVE-2026-48515
Published : June 22, 2026, 9:10 p.m. | 1 hour, 20 minutes ago
Description :MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T[,], T[,,], or T[,,,] before validating that the dimension product matches the encoded element count. The formatter reads a guarded element array header, but allocation of the target multi-dimensional array happens before the dimensions are checked against that element count. A small payload can therefore declare large dimensions, provide an empty or tiny inner array, and cause a large heap allocation before element data is validated. This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-48515
Published : June 22, 2026, 9:10 p.m. | 1 hour, 20 minutes ago
Description :MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T[,], T[,,], or T[,,,] before validating that the dimension product matches the encoded element count. The formatter reads a guarded element array header, but allocation of the target multi-dimensional array happens before the dimensions are checked against that element count. A small payload can therefore declare large dimensions, provide an empty or tiny inner array, and cause a large heap allocation before element data is validated. This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48514 - MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length
CVE ID :CVE-2026-48514
Published : June 22, 2026, 9:11 p.m. | 1 hour, 19 minutes ago
Description :MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes. The outer extension header is bounded by available input, but that bound is not used to constrain the inner byteLength before allocation. A very small payload can therefore request a very large T[] allocation. This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-48514
Published : June 22, 2026, 9:11 p.m. | 1 hour, 19 minutes ago
Description :MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes. The outer extension header is bounded by available input, but that bound is not used to constrain the inner byteLength before allocation. A very small payload can therefore request a very large T[] allocation. This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48513 - MessagePack-CSharp: DynamicUnionResolver generated deserializers miss depth enforcement
CVE ID :CVE-2026-48513
Published : June 22, 2026, 9:12 p.m. | 1 hour, 18 minutes ago
Description :MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step. This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-48513
Published : June 22, 2026, 9:12 p.m. | 1 hour, 18 minutes ago
Description :MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step. This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48512 - MessagePack-CSharp: JSON conversion APIs can recurse without consistent depth enforcement
CVE ID :CVE-2026-48512
Published : June 22, 2026, 9:14 p.m. | 1 hour, 17 minutes ago
Description :MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack deserialization. MessagePackSerializer.ConvertFromJson recursively processes nested JSON arrays and objects in FromJsonCore() without consulting MessagePackSecurity.MaximumObjectGraphDepth. TinyJsonReader.ReadNextToken() recursively consumes comma and colon separator characters, allowing even malformed JSON with long separator runs to consume one stack frame per character. MessagePackSerializer.ConvertToJson applies depth checks to arrays and maps, but the typeless extension branch for ext-100 recursively calls ToJsonCore() without applying MessagePackSecurity.DepthStep(ref reader). Each path can allow attacker-controlled input to exhaust the process stack and trigger an uncatchable StackOverflowException instead of failing with a catchable parse or serialization exception. This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-48512
Published : June 22, 2026, 9:14 p.m. | 1 hour, 17 minutes ago
Description :MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack deserialization. MessagePackSerializer.ConvertFromJson recursively processes nested JSON arrays and objects in FromJsonCore() without consulting MessagePackSecurity.MaximumObjectGraphDepth. TinyJsonReader.ReadNextToken() recursively consumes comma and colon separator characters, allowing even malformed JSON with long separator runs to consume one stack frame per character. MessagePackSerializer.ConvertToJson applies depth checks to arrays and maps, but the typeless extension branch for ext-100 recursively calls ToJsonCore() without applying MessagePackSecurity.DepthStep(ref reader). Each path can allow attacker-controlled input to exhaust the process stack and trigger an uncatchable StackOverflowException instead of failing with a catchable parse or serialization exception. This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48511 - MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untrusted maps
CVE ID :CVE-2026-48511
Published : June 22, 2026, 9:14 p.m. | 1 hour, 16 minutes ago
Description :MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-48511
Published : June 22, 2026, 9:14 p.m. | 1 hour, 16 minutes ago
Description :MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...