HIGH7.6CVE-2026-46701Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret
HIGH7.5CVE-2026-46679js-libp2p: Memory DoS via subscription flood of unique topics
HIGH7.5CVE-2026-46625JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
LOW2.0CVE-2026-46549NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation
HIGH8.8CVE-2026-46519MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
HIGH7.2CVE-2026-46492md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
HIGH8.5CVE-2026-46372EPSS 2.9%SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
HIGH7.5CVE-2026-45783@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
HIGH8.8CVE-2026-45805PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE
HIGH7.6CVE-2026-46426EPSS 0.03%Budibase: Unrestricted Upload of File with Dangerous Type
HIGH7.4CVE-2026-45245EPSS 0.01%Summarize's hover summary feature allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links
HIGH7.1CVE-2026-45242EPSS 0.07%Summarize contains a path traversal vulnerability
HIGH8.8CVE-2025-57282EPSS 0.29%ngrok is Vulnerable to Command Injection
HIGH8.8CVE-2026-45716EPSS 0.04%Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration
HIGH8.1CVE-2026-45707EPSS 0.03%n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete
HIGH7.5CVE-2026-8159EPSS 0.06%multiparty vulnerable to ReDoS via filename parsing
HIGH7.5CVE-2026-8162EPSS 0.06%multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing
HIGH7.5CVE-2026-8161EPSS 0.02%multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception
HIGH8.2CVE-2026-45325@tmlmobilidade/utils has prototype pollution in its setValueAtPath
HIGH7.5CVE-2026-42559EPSS 0.01%DNS rebinding and cross-origin CSRF in dynoxide's MCP HTTP transport
HIGH8.2CVE-2026-45302EPSS 0.04%parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names
HIGH8.2CVE-2026-46510EPSS 0.06%form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys
HIGH8.8CVE-2026-45717EPSS 0.04%Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL
HIGH7.7CVE-2026-45715EPSS 0.03%Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration
HIGH7.7CVE-2026-45548EPSS 0.03%Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation