VulnScope — package-centric CVE lookup

Search

8,937 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

LOW2.5CVE-2026-54326Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass6/16/2026
CRITICAL10.0n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions6/16/2026
CRITICAL9.9n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints6/16/2026
CRITICAL9.6n8n: Credential Exfiltration via Permission Bypass6/16/2026
MEDIUM5.9n8n: Denial of Service via ZIP decompression in webhook workflow6/16/2026
MEDIUM6.1yt-dlp: File Downloader cookie leak with curl6/16/2026
CRITICAL9.0LobeHub: Unauthenticated SSRF in `/webapi/proxy`6/16/2026
CRITICAL9.8Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API6/16/2026
MEDIUM6.3n8n: Merge Node SQL Mode Prototype Pollution6/16/2026
MEDIUM5.4n8n: Prototype Pollution enables confused-deputy execution via public webhooks6/16/2026
CRITICAL9.9n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes6/16/2026
CRITICAL9.1vLLM: OpenAI auth bypass6/16/2026
MEDIUM6.1Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read6/16/2026
CRITICAL9.6Langflow: Unauthenticated RCE in Shareable Playgrounds6/16/2026
MEDIUM6.5Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint6/16/2026
MEDIUM4.2Astro: XSS via Unescaped Attribute Names in Spread Props6/16/2026
MEDIUM5.3@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config6/16/2026
MEDIUM6.5hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`6/16/2026
MEDIUM4.8hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest6/16/2026
MEDIUM5.9hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)6/16/2026
MEDIUM5.3hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice6/16/2026
MEDIUM5.3markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations6/15/2026
MEDIUM5.3OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation6/15/2026
LOW3.7Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname6/15/2026
LOW3.7python-multipart: Negative Content-Length in parse_form buffers the entire body in memory6/15/2026

Page 1 of 358Next →