Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.

Threats Tagged 'cwe-436'

View all threats tagged with 'cwe-436'. Filter and sort to focus on specific types of threats.

Pro Console Lifetime

Stop chasing alerts. Route them.

Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.

Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)

View Plans & Pricing

API access activates after upgrading in Console -> Billing.

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now

Filter Threats

Narrow down the results by type, severity, or affected countries

Search threats by title, CVE ID, or description. Maximum 100 characters.
Active filters (1):Tag: cwe-436

Threats Tagged 'cwe-436'

Click on any threat for detailed analysis and mitigation recommendations

CVE-2026-53538: CWE-436: Interpretation Conflict in Kludex python-multipartCVE-2026-53538
0

CVE-2026-53538 is a low-severity vulnerability in the python-multipart library prior to version 0.0.30. The issue arises because the QuerystringParser treated the semicolon (;) as a field separator in application/x-www-form-urlencoded bodies, whereas modern standards and browsers treat only the ampersand (&) as a separator. This discrepancy allows an attacker to smuggle extra form fields past upstream body inspection components. The vulnerability is fixed in version 0.0.30.

Join the discussion
CVE-2026-53537: CWE-20: Improper Input Validation in Kludex python-multipartCVE-2026-53537
0

Python-Multipart versions prior to 0.0.30 improperly parse Content-Disposition headers by applying RFC 2231/5987 decoding, which is not compliant with RFC 7578 §4.2 for multipart/form-data. This allows an attacker to smuggle altered field names or filenames past upstream inspectors to the backend. The vulnerability is fixed in version 0.0.30.

Join the discussion
CVE-2026-53655: CWE-436: Interpretation Conflict in isaacs node-tarCVE-2026-53655
0

A vulnerability in node-tar prior to version 7.5.16 allows a crafted tar archive to cause interpretation conflicts due to incorrect handling of PAX extended headers. This leads to a desynchronization of the stream cursor compared to other tar implementations, enabling an attacker to hide archive members from some parsers while exposing them to others. The issue is fixed in version 7.5.16.

Join the discussion
CVE-2026-48788: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in umputun remark42CVE-2026-48788
0

Remark42 versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability due to inconsistent content-type validation in its image proxy. An attacker can host a malicious URL that advertises an image content-type but serves HTML/JavaScript, causing the proxy to serve attacker-controlled scripts under Remark42's origin. Exploitation requires no user account and can be triggered by delivering the malicious proxy link to victims. This vulnerability is fixed in version 1.16.0.

Join the discussion
CVE-2026-42462: CWE-180: Incorrect Behavior Order: Validate Before Canonicalize in fedify-dev fedifyCVE-2026-42462
0

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.

Join the discussion
CVE-2026-47344: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TYPO3 HTML SanitizerCVE-2026-47344
0

When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.

Join the discussion
CVE-2026-40930: CWE-436: Interpretation Conflict in pnggroup libpngCVE-2026-40930
0

A vulnerability in libpng version 1.8.0 involves an interpretation conflict in the APNG parser's handling of ancillary chunks. Specifically, certain discard paths clear the chunk-header flag without consuming the chunk body and CRC, which may allow attacker-controlled data to be misinterpreted as new chunk headers. This issue is identified as CWE-436 and has a CVSS score of 5.4, indicating medium severity.

Join the discussion

Showing 1 to 7 of 7 results

Filters:Tag: cwe-436
Page 1 of 1
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses