VulnScope — package-centric CVE lookup

Search

16,485 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

MEDIUM5.4CVE-2026-44311Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization6/12/2026
LOW3.7CVE-2026-49854Tornado has out-of-bounds memory access via C extension6/12/2026
HIGH8.1Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL6/12/2026
HIGH7.5Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema6/12/2026
CRITICAL9.0Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign6/12/2026
—Budibase: Unvalidated VectorDB Host Parameter Enables SSRF6/12/2026
MEDIUM6.5Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker6/12/2026
MEDIUM6.5GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution6/12/2026
HIGH7.2GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page6/12/2026
HIGH7.7Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection6/12/2026
—Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step6/12/2026
MEDIUM6.7LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access6/12/2026
HIGH7.2GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection6/11/2026
HIGH7.1WsgiDAV encoded dot segments can escape filesystem share roots6/11/2026
—Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion6/11/2026
MEDIUM5.8Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset6/11/2026
MEDIUM5.3@hapi/inert has a static-file confinement bypass via sibling-prefix path6/11/2026
MEDIUM6.5python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood6/11/2026
MEDIUM5.3netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion6/11/2026
—netty-incubator-codec-ohttp's Incorrect Native Pointer Derivation in Pooled Direct ByteBuf Fallback Leads to Out-of-Bounds Native Memory Access6/11/2026
CRITICAL9.1Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token6/11/2026
HIGH7.5@grpc/grpc-js: A malformed request can cause a server crash6/11/2026
HIGH7.5@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash6/11/2026
MEDIUM5.3joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas6/11/2026
HIGH8.8OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri6/11/2026

Page 1 of 660Next →