VulnScope — package-centric CVE lookup

Search

3,116 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

MEDIUM5.9CVE-2026-54314n8n: Denial of Service via ZIP decompression in webhook workflow6/16/2026
MEDIUM6.3n8n: Merge Node SQL Mode Prototype Pollution6/16/2026
MEDIUM5.4n8n: Prototype Pollution enables confused-deputy execution via public webhooks6/16/2026
MEDIUM4.2Astro: XSS via Unescaped Attribute Names in Spread Props6/16/2026
MEDIUM5.3@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config6/16/2026
MEDIUM6.5hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`6/16/2026
MEDIUM4.8hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest6/16/2026
MEDIUM5.9hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)6/16/2026
MEDIUM5.3hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice6/16/2026
MEDIUM5.3markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations6/15/2026
MEDIUM5.3OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation6/15/2026
MEDIUM5.3UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`6/15/2026
MEDIUM5.3protobufjs: Memory amplification from preserved unknown fields in binary decode6/15/2026
MEDIUM6.1DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks6/15/2026
MEDIUM6.1DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM6/15/2026
MEDIUM5.3protobufjs : Schema-derived names can shadow runtime-significant properties6/15/2026
MEDIUM5.3JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases6/15/2026
MEDIUM5.4Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization6/12/2026
MEDIUM6.5Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker6/12/2026
MEDIUM6.7LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access6/12/2026
MEDIUM6.9Vim is an open source, command line text editor.6/11/2026
MEDIUM5.3@hapi/inert has a static-file confinement bypass via sibling-prefix path6/11/2026
MEDIUM5.3joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas6/11/2026
MEDIUM6.5@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects6/11/2026
MEDIUM4.8Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authent…6/9/2026

Page 1 of 125Next →