VulnScope — package-centric CVE lookup- MEDIUM6.3CVE-2026-54311n8n: Merge Node SQL Mode Prototype Pollution
- MEDIUM5.4n8n: Prototype Pollution enables confused-deputy execution via public webhooks
- MEDIUM4.2Astro: XSS via Unescaped Attribute Names in Spread Props
- MEDIUM5.3@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config
- MEDIUM6.5hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`
- MEDIUM4.8hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
- MEDIUM5.9hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
- MEDIUM5.3hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
- MEDIUM5.3markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
- MEDIUM5.3OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation
- MEDIUM5.3UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
- MEDIUM5.3protobufjs: Memory amplification from preserved unknown fields in binary decode
- LOW3.1React Router: Potential CSRF via PUT/PATCH/DELETE document requests
- MEDIUM6.1DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
- MEDIUM6.1DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
- MEDIUM5.3protobufjs : Schema-derived names can shadow runtime-significant properties
- MEDIUM5.3JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
- LOW3.2@babel/core: Arbitrary File Read via sourceMappingURL Comment
- MEDIUM6.9Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature
- MEDIUM4.8Netty: QUIC stateless reset token material exposed through header-visible connection IDs
- MEDIUM5.3Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted
- MEDIUM5.4Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization
- MEDIUM6.5Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
- MEDIUM6.5GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution
- MEDIUM6.7LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access
← PrevPage 2 of 247Next →