VulnScope — package-centric CVE lookup

Search

16,485 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

MEDIUM6.5CVE-2026-48022@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects6/11/2026
—CVE-2026-48007Element Call reports full URLs of visited pages to analytics server6/11/2026
—Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator6/11/2026
—PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing6/11/2026
—PDM wheel installation leads to Path Traversal via overridden write_to_fs6/10/2026
—PDM: Project-Local State and Config Writes Follow Symlinks6/10/2026
—Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload6/10/2026
MEDIUM5.9Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header6/10/2026
HIGH8.1Litestar has HTML Injection Through its CSRF Token6/10/2026
MEDIUM6.5vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors6/10/2026
HIGH7.5Acknowledgement extension out of memory6/10/2026
HIGH8.0Jenkins: Stored XSS vulnerability in node offline cause description6/10/2026
LOW3.5Papra HTTP redirect bypass can lead to SSRF via webhook delivery system6/10/2026
—@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture6/10/2026
—@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts6/10/2026
—@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened6/10/2026
—@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket6/10/2026
—@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name6/10/2026
—@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers6/10/2026
HIGH8.1In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization6/10/2026
MEDIUM6.5In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header6/10/2026
MEDIUM6.3FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions6/8/2026
MEDIUM5.3FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString6/8/2026
HIGH8.2FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading6/8/2026
HIGH8.7Netty has Insufficient Bailiwick Validation for NS Records6/8/2026

← PrevPage 2 of 660Next →