Search

207 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

LOW3.7CVE-2026-44489Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix5/29/2026
LOW2.0CVE-2026-46549NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation5/21/2026
LOW3.7CVE-2026-45232EPSS 0.04%Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in s…5/20/2026
LOW3.7CVE-2026-44572EPSS 0.01%Next.js's Middleware / Proxy redirects can be cache-poisoned5/11/2026
LOW3.7CVE-2026-44582EPSS 0.01%Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting5/11/2026
LOW3.8CVE-2026-44459EPSS 0.02%Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()5/9/2026
LOW3.7CVE-2026-44589EPSS 0.04%nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)5/7/2026
LOW3.7CVE-2026-8026EPSS 0.02%Flowise: Bcrypt Password Hash Exposure5/6/2026
LOW3.7CVE-2026-42040EPSS 0.06%Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams5/5/2026
LOW3.7CVE-2026-3832EPSS 0.02%A flaw was found in gnutls.4/30/2026
LOW3.7CVE-2026-5419EPSS 0.04%A flaw was found in gnutls.4/30/2026
LOW2.2CVE-2026-41321EPSS 0.05%Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4)4/23/2026
LOW3.7CVE-2026-33877EPSS 0.03%ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint4/16/2026
LOW3.5CVE-2026-6216EPSS 0.04%DbGate has cross site scripting via the SVG Icon String Handler component4/13/2026
LOW3.7CVE-2026-41913EPSS 0.08%OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths4/9/2026
LOW3.7CVE-2026-34166EPSS 0.02%LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter4/8/2026
LOW3.7CVE-2026-39321EPSS 0.03%Parse Server has a login timing side-channel reveals user existence4/8/2026
LOW3.7CVE-2026-41407EPSS 0.04%OpenClaw: Shared-secret comparison call sites leaked length information through timing4/7/2026
LOW2.8CVE-2026-34781EPSS 0.01%Electron: Crash in clipboard.readImage() on malformed clipboard image data4/7/2026
LOW2.3CVE-2026-34764EPSS 0.02%Electron: Use-after-free in offscreen shared texture release() callback4/3/2026
LOW3.7CVE-2026-41333EPSS 0.08%OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting4/3/2026
LOW3.9CVE-2026-34768EPSS 0.01%Electron: Unquoted executable path in app.setLoginItemSettings on Windows4/3/2026
LOW3.3CVE-2026-34766EPSS 0.01%Electron: USB device selection not validated against filtered device list4/3/2026
LOW3.3CVE-2026-21716EPSS 0.01%An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permissi…3/30/2026
LOW3.3CVE-2026-21715EPSS 0.01%A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, wh…3/30/2026

Page 1 of 9Next →