VulnScope — package-centric CVE lookup- HIGH7.1CVE-2026-54290hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard
- MEDIUM5.9CVE-2026-54286hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
- MEDIUM5.3hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
- HIGH7.1Astro: Reflected XSS via unescaped slot name
- —Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
- —Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher
- HIGH7.3aws-cdk-lib: OS Command Injection in NodejsFunction Bundling
- MEDIUM5.3markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
- MEDIUM5.3OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation
- —Nest: Middleware Bypass on Fastify via Trailing Slash
- —Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow
- MEDIUM5.3UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
- HIGH8.2protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names
- MEDIUM5.3protobufjs: Memory amplification from preserved unknown fields in binary decode
- LOW3.1React Router: Potential CSRF via PUT/PATCH/DELETE document requests
- CRITICAL9.8Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE
- —DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content
- MEDIUM6.1DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
- MEDIUM6.1DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
- HIGH7.5protobufjs: Denial of service through unbounded Any expansion during JSON conversion
- MEDIUM5.3protobufjs : Schema-derived names can shadow runtime-significant properties
- —@angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker
- —@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
- —@angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning
- —@angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)
← PrevPage 4 of 205Next →