VulnScope — package-centric CVE lookup

Search

2,810 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

CRITICAL9.6CVE-2026-55447Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit6/19/2026
CRITICAL9.9Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow6/19/2026
CRITICAL9.9Network-AI: Improper Neutralization of Special Elements used in an OS Command6/19/2026
CRITICAL9.1Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests6/19/2026
CRITICAL9.8gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)6/18/2026
CRITICAL9.8python-statemachine SCXML <data expr> Eval Injection6/18/2026
CRITICAL9.3Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak6/17/2026
CRITICAL9.1Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory6/17/2026
CRITICAL9.1Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks6/17/2026
CRITICAL9.8Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure6/17/2026
CRITICAL10.0n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions6/16/2026
CRITICAL9.9n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints6/16/2026
CRITICAL9.6n8n: Credential Exfiltration via Permission Bypass6/16/2026
CRITICAL9.0LobeHub: Unauthenticated SSRF in `/webapi/proxy`6/16/2026
CRITICAL9.8Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API6/16/2026
CRITICAL9.9n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes6/16/2026
CRITICAL9.1vLLM: OpenAI auth bypass6/16/2026
CRITICAL9.6Langflow: Unauthenticated RCE in Shareable Playgrounds6/16/2026
CRITICAL9.1Remotion: arbitrary file write vulnerability6/15/2026
CRITICAL9.8Remotion: remote code execution (RCE) vulnerability6/15/2026
CRITICAL9.8Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE6/15/2026
CRITICAL9.0Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign6/12/2026
CRITICAL9.1Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token6/11/2026
CRITICAL9.8GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle.6/10/2026
CRITICAL9.8Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification.6/9/2026

Page 1 of 113Next →