[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-42854":6},{"stargazers_count":4,"fetched_at":5},5,"2026-05-13T10:40:20.565Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":20,"aliases":21,"duplicate_of":9,"upstream":22,"downstream":23,"duplicates":24,"related":25,"reserved_at":9,"published_at":26,"modified_at":26,"state":27,"summary":28,"references_raw":35,"kevs":42,"epss":9,"epss_history":43,"metrics":44,"affected":51},"CVE-2026-42854","arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-121","Stack-based Buffer Overflow","A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).","weakness","Draft","Variant","High",[],[],[],[],[],[],[],"2026-05-12T21:56:33.437Z","Received",{"cisa_kev":29,"cisa_ransomware":29,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":30,"severity_score":31,"severity_version":32,"severity_source":33,"severity_vector":34,"severity_status":27},false,"critical",9.8,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[36],{"url":37,"sources":38,"tags":40},"https://github.com/espressif/arduino-esp32/security/advisories/GHSA-8cmm-3887-r32j",[33,39],"nvd",[41],"X Refsource CONFIRM",[],[],[45,49],{"source":33,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":46,"cvss_v4_0":9},{"baseScore":31,"baseSeverity":47,"vectorString":34,"impactScore":31,"exploitabilityScore":48},"CRITICAL",10,{"source":39,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":50,"cvss_v4_0":9},{"baseScore":31,"baseSeverity":47,"vectorString":34,"impactScore":31,"exploitabilityScore":48},[52],{"ecosystem":9,"name":53,"vendor":54,"product":53,"cpe_part":55,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":56},"arduino-esp32","espressif","a",[57],{"version":58,"is_range":59,"range_type":33,"version_start":9,"version_start_type":9,"version_end":60,"version_end_type":61,"fixed_in":9},"\u003C 3.3.8",true,"3.3.8","excluding"]