VulnScope — 以套件為主體的 CVE 查詢工具- HIGH7.5CVE-2026-54283Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS
- LOW3.7Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
- HIGH7.5python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service
- LOW3.7python-multipart: Negative Content-Length in parse_form buffers the entire body in memory
- LOW3.7python-multipart: Semicolon treated as querystring field separator enables parameter smuggling
- LOW3.7python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
- HIGH7.7Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient
- HIGH7.5tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)
- HIGH7.5Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
- MEDIUM5.3Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`
- —aiohttp: Incomplete websocket frame payloads bypass memory limits
- —aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
- —aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect
- —aiohttp: HTTP/1 Pipelined Requests Queue Without Limit
- —aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
- —aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines
- —aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
- —aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
- —aiohttp: CRLF injection in multipart headers
- —Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument i…
- MEDIUM6.8In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can retu…
- —
- —
- —
- —