VulnScope — 以套件為主體的 CVE 查詢工具

搜尋

1,618 筆結果

嚴重程度:CRITICAL HIGH MEDIUM LOW|生態系:npm PyPI Maven Debian Alpine|⚠ 只看 KEV

MEDIUM5.4CVE-2026-44311Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization2026/6/12
MEDIUM6.5CVE-2026-48147Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker2026/6/12
MEDIUM6.7LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access2026/6/12
MEDIUM5.3@hapi/inert has a static-file confinement bypass via sibling-prefix path2026/6/11
MEDIUM5.3joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas2026/6/11
MEDIUM6.5@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects2026/6/11
LOW3.5Papra HTTP redirect bypass can lead to SSRF via webhook delivery system2026/6/10
MEDIUM6.3FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions2026/6/8
MEDIUM5.3FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString2026/6/8
MEDIUM6.0NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`2026/6/5
MEDIUM6.1MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration2026/6/5
MEDIUM5.3Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths2026/6/4
MEDIUM5.3Hono: IP Restriction bypasses static deny rules for non-canonical IPv62026/6/4
MEDIUM4.3Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection2026/6/4
MEDIUM4.8Hono: JWT middleware accepts any Authorization scheme, not only Bearer2026/6/4
MEDIUM6.5EPSS 0.02%browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server2026/6/3
MEDIUM5.4EPSS 0.03%React Router has stored XSS via unescaped Location header in prerendered redirect HTML2026/6/3
MEDIUM5.3EPSS 0.06%ExifReader is vulnerable to denial of service via unbounded decompression of image metadata2026/5/29
MEDIUM4.8axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions2026/5/29
LOW3.7Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix2026/5/29
MEDIUM5.5Shamefile has an arbitrary file read via shamefile.yaml in shame next2026/5/28
MEDIUM5.3LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`2026/5/27
MEDIUM6.5LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body2026/5/27
MEDIUM6.1LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS2026/5/27
MEDIUM6.1EPSS 0.03%CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS2026/5/26

第 1 / 65 頁下一頁 →