Threats Tagged 'cwe-436'
View all threats tagged with 'cwe-436'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'cwe-436'
Click on any threat for detailed analysis and mitigation recommendations
CVE-2026-53538: CWE-436: Interpretation Conflict in Kludex python-multipartCVE-2026-53538 0 CVE-2026-53538 is a low-severity vulnerability in the python-multipart library prior to version 0.0.30. The issue arises because the QuerystringParser treated the semicolon (;) as a field separator in application/x-www-form-urlencoded bodies, whereas modern standards and browsers treat only the ampersand (&) as a separator. This discrepancy allows an attacker to smuggle extra form fields past upstream body inspection components. The vulnerability is fixed in version 0.0.30. Join the discussion | CVE Database V5 | 06/22/2026, 16:56:32 UTC Added: 06/22/2026, 17:39:38 UTC |
CVE-2026-53537: CWE-20: Improper Input Validation in Kludex python-multipartCVE-2026-53537 0 Python-Multipart versions prior to 0.0.30 improperly parse Content-Disposition headers by applying RFC 2231/5987 decoding, which is not compliant with RFC 7578 §4.2 for multipart/form-data. This allows an attacker to smuggle altered field names or filenames past upstream inspectors to the backend. The vulnerability is fixed in version 0.0.30. Join the discussion | CVE Database V5 | 06/22/2026, 16:57:21 UTC Added: 06/22/2026, 17:39:38 UTC |
CVE-2026-53655: CWE-436: Interpretation Conflict in isaacs node-tarCVE-2026-53655 0 A vulnerability in node-tar prior to version 7.5.16 allows a crafted tar archive to cause interpretation conflicts due to incorrect handling of PAX extended headers. This leads to a desynchronization of the stream cursor compared to other tar implementations, enabling an attacker to hide archive members from some parsers while exposing them to others. The issue is fixed in version 7.5.16. Join the discussion | CVE Database V5 | 06/22/2026, 14:55:50 UTC Added: 06/22/2026, 15:39:22 UTC |
CVE-2026-48788: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in umputun remark42CVE-2026-48788 0 Remark42 versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability due to inconsistent content-type validation in its image proxy. An attacker can host a malicious URL that advertises an image content-type but serves HTML/JavaScript, causing the proxy to serve attacker-controlled scripts under Remark42's origin. Exploitation requires no user account and can be triggered by delivering the malicious proxy link to victims. This vulnerability is fixed in version 1.16.0. Join the discussion | CVE Database V5 | 06/16/2026, 22:29:38 UTC Added: 06/16/2026, 23:15:15 UTC |
CVE-2026-42462: CWE-180: Incorrect Behavior Order: Validate Before Canonicalize in fedify-dev fedifyCVE-2026-42462 0 Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue. Join the discussion | CVE Database V5 | 06/10/2026, 20:22:35 UTC Added: 06/10/2026, 20:59:14 UTC |
CVE-2026-47344: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TYPO3 HTML SanitizerCVE-2026-47344 0 When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2. Join the discussion | CVE Database V5 | 06/08/2026, 19:03:19 UTC Added: 06/08/2026, 19:48:36 UTC |
CVE-2026-40930: CWE-436: Interpretation Conflict in pnggroup libpngCVE-2026-40930 0 A vulnerability in libpng version 1.8.0 involves an interpretation conflict in the APNG parser's handling of ancillary chunks. Specifically, certain discard paths clear the chunk-header flag without consuming the chunk body and CRC, which may allow attacker-controlled data to be misinterpreted as new chunk headers. This issue is identified as CWE-436 and has a CVSS score of 5.4, indicating medium severity. Join the discussion | CVE Database V5 | 06/04/2026, 14:34:51 UTC Added: 06/04/2026, 15:48:58 UTC |
Showing 1 to 7 of 7 results