Search

2,209 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

MEDIUM5.3CVE-2026-47676Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths6/4/2026
MEDIUM5.3CVE-2026-47674Hono: IP Restriction bypasses static deny rules for non-canonical IPv66/4/2026
MEDIUM4.3CVE-2026-47675Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection6/4/2026
MEDIUM4.8CVE-2026-47673Hono: JWT middleware accepts any Authorization scheme, not only Bearer6/4/2026
MEDIUM6.5CVE-2026-49144EPSS 0.02%browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server6/3/2026
MEDIUM5.4CVE-2026-33244EPSS 0.03%React Router has stored XSS via unescaped Location header in prerendered redirect HTML6/3/2026
CRITICAL9.6CVE-2026-47428Vitest browser mode serves unsanitized otelCarrier query parameter as inline script6/1/2026
CRITICAL9.8CVE-2026-47429When Vitest UI server is listening, arbitrary file can be read and executed6/1/2026
CRITICAL10.0CVE-2026-47140NodeVM builtin denylist bypass via process and inspector/promises allows host code execution5/29/2026
MEDIUM5.3CVE-2026-8814EPSS 0.06%ExifReader is vulnerable to denial of service via unbounded decompression of image metadata5/29/2026
CRITICAL9.8CVE-2026-47210vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass5/29/2026
CRITICAL10.0CVE-2026-47137vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE5/29/2026
CRITICAL10.0CVE-2026-47208vm2 is Vulnerable to Sandbox Breakout Through Promise Species5/29/2026
CRITICAL10.0CVE-2026-47131vm2 has a Sandbox Escape issue5/29/2026
MEDIUM4.8CVE-2026-44490axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions5/29/2026
MEDIUM5.5CVE-2026-47144Shamefile has an arbitrary file read via shamefile.yaml in shame next5/28/2026
CRITICAL10.0CVE-2026-45618LiquidJS is Vulnerable to Remote Code Execution5/27/2026
MEDIUM5.3CVE-2026-44646LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`5/27/2026
MEDIUM6.5CVE-2026-44645LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body5/27/2026
MEDIUM6.1CVE-2026-44644LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS5/27/2026
MEDIUM6.1CVE-2026-26028EPSS 0.03%CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS5/26/2026
MEDIUM5.4CVE-2026-39964EPSS 0.05%Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers5/26/2026
MEDIUM5.3CVE-2026-8723EPSS 0.04%qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set5/22/2026
CRITICAL9.6CVE-2026-46703OCI layer symlink escape → arbitrary host write5/21/2026
CRITICAL10.0CVE-2026-46695Read-only volume remount bypass via guest CAP_SYS_ADMIN5/21/2026

Page 1 of 89Next →