VulnScope — package-centric CVE lookup

Search

46 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

CRITICAL9.6CVE-2026-45321⚠ KEVEPSS 17.1%Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys5/12/2026
HIGH8.8⚠ KEVEPSS 4.1%LiteLLM: Authenticated command execution via MCP stdio test endpoints4/25/2026
CRITICAL9.8⚠ KEVEPSS 56.9%LiteLLM has SQL Injection in Proxy API key verification4/24/2026
CRITICAL9.8⚠ KEVEPSS 80.7%Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass4/8/2026
—⚠ KEVEPSS 23.9%Trivy ecosystem supply chain was briefly compromised in github.com/aquasecurity/trivy3/30/2026
CRITICAL9.8⚠ KEVEPSS 24.0%Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint3/17/2026
CRITICAL9.9⚠ KEVEPSS 65.8%n8n Vulnerable to Remote Code Execution via Expression Injection12/22/2025
HIGH8.8⚠ KEVEPSS 32.7%Langflow CORS misconfiguration enables Account Takeover and RCE12/6/2025
CRITICAL10.0⚠ KEVEPSS 84.5%React Server Components are Vulnerable to RCE12/3/2025
CRITICAL9.8⚠ KEVEPSS 27.9%@react-native-community/cli has arbitrary OS command injection11/3/2025
HIGH7.5⚠ KEVEPSS 14.7%eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code7/19/2025
HIGH8.0⚠ KEVEPSS 0.60%Git allows arbitrary code execution through broken config quoting7/8/2025
CRITICAL9.8⚠ KEVEPSS 92.7%Langflow Unauth RCE6/17/2025
MEDIUM5.3⚠ KEVEPSS 83.2%Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query3/31/2025
HIGH8.1⚠ KEVEPSS 70.8%freetype - security update3/11/2025
CRITICAL9.1⚠ KEVEPSS 93.9%Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.7/1/2024
MEDIUM5.3⚠ KEVEPSS 94.4%nghttp2 - security update10/10/2023
HIGH8.8⚠ KEVEPSS 5.0%libvpx - security update9/28/2023
HIGH8.8⚠ KEVEPSS 93.3%thunderbird - security update9/12/2023
HIGH8.9⚠ KEVEPSS 84.0%Apache Superset: Session validation vulnerability when using provided default SECRET_KEY4/24/2023
CRITICAL9.6⚠ KEVEPSS 0.08%chromium - security update11/25/2022
HIGH8.8⚠ KEVEPSS 93.5%Apache Spark shell command injection vulnerability via Spark UI7/19/2022
CRITICAL9.8⚠ KEVEPSS 94.4%salt - security update5/24/2022
CRITICAL9.8⚠ KEVEPSS 94.2%salt - security update5/24/2022
MEDIUM6.5⚠ KEVEPSS 93.7%SaltStack Salt is vulnerable Arbitrary Directory Access5/24/2022

Page 1 of 2Next →