VulnScope — package-centric CVE lookup

Search

4,880 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

MEDIUM5.4CVE-2026-44311Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization6/12/2026
CRITICAL9.0Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign6/12/2026
MEDIUM6.5Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker6/12/2026
MEDIUM6.7LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access6/12/2026
MEDIUM5.8Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset6/11/2026
MEDIUM5.3@hapi/inert has a static-file confinement bypass via sibling-prefix path6/11/2026
MEDIUM6.5python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood6/11/2026
CRITICAL9.1Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token6/11/2026
MEDIUM5.3joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas6/11/2026
MEDIUM6.5@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects6/11/2026
MEDIUM5.9Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header6/10/2026
MEDIUM6.5vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors6/10/2026
MEDIUM6.3FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions6/8/2026
MEDIUM5.3FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString6/8/2026
MEDIUM5.4Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_type6/8/2026
MEDIUM4.3Bugsink: DOS using large numbers of event tags6/5/2026
MEDIUM4.3Bugsink: Project scoping missing in sourcemap and debug-file lookup6/5/2026
CRITICAL9.1NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker)6/5/2026
CRITICAL10.0DbGate: Unauthenticated Remote Code Execution via JSON Script Runner6/5/2026
MEDIUM6.0NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`6/5/2026
MEDIUM6.1MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration6/5/2026
MEDIUM6.5Authorization Bypass in SearchModelVersions in mlflow/mlflow6/5/2026
MEDIUM6.5Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path6/5/2026
CRITICAL9.1Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern6/5/2026
MEDIUM4.3Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints6/5/2026

Page 1 of 196Next →