Search

3,037 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

MEDIUM5.3CVE-2026-47676Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths6/4/2026
MEDIUM5.3CVE-2026-47674Hono: IP Restriction bypasses static deny rules for non-canonical IPv66/4/2026
MEDIUM4.3CVE-2026-47675Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection6/4/2026
MEDIUM4.8CVE-2026-47673Hono: JWT middleware accepts any Authorization scheme, not only Bearer6/4/2026
MEDIUM6.5CVE-2026-49144EPSS 0.02%browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server6/3/2026
MEDIUM5.4CVE-2026-33244EPSS 0.03%React Router has stored XSS via unescaped Location header in prerendered redirect HTML6/3/2026
MEDIUM5.3CVE-2026-8814EPSS 0.06%ExifReader is vulnerable to denial of service via unbounded decompression of image metadata5/29/2026
MEDIUM4.8CVE-2026-44490axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions5/29/2026
MEDIUM5.5CVE-2026-47144Shamefile has an arbitrary file read via shamefile.yaml in shame next5/28/2026
MEDIUM6.5CVE-2026-2340EPSS 0.07%A flaw was found in Samba’s vfs_worm module.5/27/2026
MEDIUM5.3CVE-2026-44646LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`5/27/2026
MEDIUM6.5CVE-2026-44645LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body5/27/2026
MEDIUM6.1CVE-2026-44644LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS5/27/2026
MEDIUM5.3CVE-2026-42015EPSS 0.25%A flaw was found in gnutls.5/26/2026
MEDIUM6.1CVE-2026-26028EPSS 0.03%CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS5/26/2026
MEDIUM5.4CVE-2026-39964EPSS 0.05%Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers5/26/2026
MEDIUM5.3CVE-2026-5223EPSS 0.07%Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override…5/25/2026
MEDIUM6.5CVE-2026-5222EPSS 0.03%Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol.5/25/2026
MEDIUM5.3CVE-2026-8723EPSS 0.04%qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set5/22/2026
MEDIUM5.8CVE-2026-46552NocoDB: Shared-base link access can invite arbitrary users as persistent base members5/21/2026
MEDIUM6.5CVE-2026-46551NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion5/21/2026
MEDIUM5.4CVE-2026-46550NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags5/21/2026
MEDIUM4.3CVE-2026-46548NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)5/21/2026
MEDIUM6.1CVE-2026-46547NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL5/21/2026
MEDIUM5.3CVE-2026-5950EPSS 0.14%An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenti…5/20/2026

Page 1 of 122Next →