VulnScope — package-centric CVE lookup

Search

2,064 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

LOW2.2CVE-2026-12567BBOT: Symlink-Following Arbitrary Write via github_workflows Module6/18/2026
LOW3.1BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing6/18/2026
CRITICAL9.8python-statemachine SCXML <data expr> Eval Injection6/18/2026
CRITICAL9.3Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak6/17/2026
CRITICAL9.1Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory6/17/2026
CRITICAL9.1Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks6/17/2026
CRITICAL9.8Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure6/17/2026
CRITICAL9.8Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API6/16/2026
CRITICAL9.1vLLM: OpenAI auth bypass6/16/2026
CRITICAL9.6Langflow: Unauthenticated RCE in Shareable Playgrounds6/16/2026
LOW3.7Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname6/15/2026
LOW3.7python-multipart: Negative Content-Length in parse_form buffers the entire body in memory6/15/2026
LOW3.7python-multipart: Semicolon treated as querystring field separator enables parameter smuggling6/15/2026
LOW3.7python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters6/15/2026
LOW3.7Tornado has out-of-bounds memory access via C extension6/12/2026
CRITICAL9.1Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token6/11/2026
CRITICAL9.8MariaDB: mysql_real_escape_string() incorrectly handled big56/7/2026
LOW3.1Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known6/5/2026
LOW3.1Bugsink: Issue event views can show an event from another project if its UUID is known6/5/2026
CRITICAL9.1NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker)6/5/2026
CRITICAL9.1Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern6/5/2026
LOW2.5A security flaw has been discovered in gradio-app gradio 6.14.0.6/4/2026
CRITICAL9.8Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids Bypass6/3/2026
LOW3.7daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processi…6/3/2026
CRITICAL9.6praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members6/1/2026

Page 1 of 83Next →