VulnScope — package-centric CVE lookup

Search

366 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

LOW3.7CVE-2026-54282Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname6/15/2026
LOW3.7python-multipart: Negative Content-Length in parse_form buffers the entire body in memory6/15/2026
LOW3.7python-multipart: Semicolon treated as querystring field separator enables parameter smuggling6/15/2026
LOW3.7python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters6/15/2026
LOW3.7Tornado has out-of-bounds memory access via C extension6/12/2026
LOW3.7Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provid…6/9/2026
LOW3.7Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup…6/9/2026
LOW3.1Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known6/5/2026
LOW3.1Bugsink: Issue event views can show an event from another project if its UUID is known6/5/2026
LOW2.5A security flaw has been discovered in gradio-app gradio 6.14.0.6/4/2026
LOW3.7daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processi…6/3/2026
LOW3.1EPSS 0.04%Apache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log access6/1/2026
LOW3.3Dulwich doesn't sanitize commit subjects in `porcelain.format_patch`5/29/2026
LOW3.7EPSS 0.06%PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)5/28/2026
LOW3.3EPSS 0.01%pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams5/28/2026
LOW3.7EPSS 0.04%Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in s…5/20/2026
LOW3.1Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs5/19/2026
LOW3.5EPSS 0.01%Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)5/14/2026
LOW3.1dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction5/14/2026
LOW2.5dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled5/14/2026
LOW2.7EPSS 0.09%Synapse pagination Denial of Service5/14/2026
LOW3.3EPSS 0.01%OSGeo GDAL vulnerable to out-of-bounds read5/7/2026
LOW3.5EPSS 0.04%Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed5/6/2026
LOW3.4EPSS 0.00%Paramiko rsakey.py allows the SHA-1 algorithm5/6/2026
LOW3.0EPSS 0.01%ciguard: Container image runs as root (no USER directive)5/5/2026

Page 1 of 15Next →