VulnScope — 以套件為主體的 CVE 查詢工具- HIGH7.5CVE-2026-55760handlebars.java FileTemplateLoader Path Traversal
- HIGH7.6LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector
- HIGH7.5Multer vulnerable to Denial of Service via deeply nested field names
- HIGH7.1OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin
- HIGH7.3Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
- LOW2.2Pi Agent: Race condition in Pi auth.json writes could expose stored credentials
- LOW2.5Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass
- HIGH7.7n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host
- HIGH7.6n8n: Stored XSS in Chat Trigger Node
- HIGH7.6n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints
- HIGH8.5n8n: Microsoft SQL Node Prototype Pollution
- HIGH7.6n8n: Same-Origin XSS in Respond to Webhook Node
- HIGH7.2n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes
- HIGH7.7n8n: NoSQL Injection in MongoDB Node Find And Replace Operation
- HIGH7.7n8n: Git Node Clone and Push Operations Bypass File Sandbox
- HIGH8.5n8n: Python sandbox escape
- HIGH7.5Astro: Host header SSRF in prerendered error page fetch
- HIGH7.1hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard
- HIGH7.1Astro: Reflected XSS via unescaped slot name
- HIGH7.3aws-cdk-lib: OS Command Injection in NodejsFunction Bundling
- HIGH8.2protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names
- LOW3.1React Router: Potential CSRF via PUT/PATCH/DELETE document requests
- HIGH7.5protobufjs: Denial of service through unbounded Any expansion during JSON conversion
- LOW3.2@babel/core: Arbitrary File Read via sourceMappingURL Comment
- HIGH8.2tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template