VulnScope — package-centric CVE lookup

Search

6,575 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

CRITICAL9.8CVE-2026-0755gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)6/18/2026
LOW3.1BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing6/18/2026
LOW3.7Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets.6/17/2026
CRITICAL9.3Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak6/17/2026
LOW2.2Pi Agent: Race condition in Pi auth.json writes could expose stored credentials6/17/2026
CRITICAL9.6Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to potentially perform a…6/17/2026
LOW2.5Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass6/16/2026
CRITICAL10.0n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions6/16/2026
CRITICAL9.9n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints6/16/2026
CRITICAL9.6n8n: Credential Exfiltration via Permission Bypass6/16/2026
CRITICAL9.0LobeHub: Unauthenticated SSRF in `/webapi/proxy`6/16/2026
CRITICAL9.8Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API6/16/2026
CRITICAL9.9n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes6/16/2026
CRITICAL9.1vLLM: OpenAI auth bypass6/16/2026
CRITICAL9.6Langflow: Unauthenticated RCE in Shareable Playgrounds6/16/2026
CRITICAL9.1Mitigation bypass in the DOM: Security component.6/16/2026
CRITICAL9.1Same-origin policy bypass in the Networking: Cookies component.6/16/2026
CRITICAL9.1Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery.6/15/2026
CRITICAL9.1Socket versions before 2.041 for Perl have an out-of-bounds heap read.6/15/2026
LOW3.7Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname6/15/2026
LOW3.7python-multipart: Negative Content-Length in parse_form buffers the entire body in memory6/15/2026
LOW3.7python-multipart: Semicolon treated as querystring field separator enables parameter smuggling6/15/2026
LOW3.7python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters6/15/2026
LOW3.1React Router: Potential CSRF via PUT/PATCH/DELETE document requests6/15/2026
CRITICAL9.8Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE6/15/2026

Page 1 of 263Next →