VulnScope — package-centric CVE lookup

Search

8,825 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

MEDIUM6.5CVE-2026-54683NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463)6/18/2026
LOW2.2BBOT: Symlink-Following Arbitrary Write via github_workflows Module6/18/2026
MEDIUM6.5BBOT: Arbitrary File Write in postman_download Module6/18/2026
LOW3.1BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing6/18/2026
MEDIUM5.3BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-102846/18/2026
CRITICAL9.8python-statemachine SCXML <data expr> Eval Injection6/18/2026
MEDIUM5.4Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator6/18/2026
MEDIUM6.1marimo contains a reflected cross-site scripting vulnerability in the notebook page6/18/2026
MEDIUM6.0OpenStack Horizon RC file generation does not escape special characters in project names6/17/2026
CRITICAL9.3Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak6/17/2026
CRITICAL9.1Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory6/17/2026
MEDIUM6.5Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access.6/17/2026
MEDIUM6.5Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.6/17/2026
MEDIUM4.9Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects6/17/2026
CRITICAL9.1Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks6/17/2026
CRITICAL9.8Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure6/17/2026
MEDIUM5.3Open WebUI: Any authenticated user can read other users' private notes via Socket.IO6/17/2026
MEDIUM6.3Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter6/17/2026
MEDIUM6.5Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode6/17/2026
MEDIUM4.3Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration6/17/2026
MEDIUM6.4Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion6/17/2026
MEDIUM4.3Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}6/17/2026
MEDIUM6.5Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field6/17/2026
MEDIUM4.3Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar6/17/2026
MEDIUM6.5vLLM: OOM Denial of Service via Audio Decompression Bomb6/17/2026

Page 1 of 353Next →