Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. Public exploit code available.
Information Disclosure
NVD
GitHub
VulDB
CVSS 3.1
3.1
EPSS
0.1%
python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. Rated low severity (CVSS 2.9), this vulnerability is no authentication required. Public exploit code available.
Python
Information Disclosure
Markdownify
NVD
GitHub
CVSS 3.1
2.9
EPSS
0.1%