VulnScope — package-centric CVE lookup

Search

7,667 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

HIGH7.5CVE-2026-54695Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID6/18/2026
CRITICAL9.8python-statemachine SCXML <data expr> Eval Injection6/18/2026
HIGH8.0Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator`6/18/2026
HIGH7.5HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS6/17/2026
CRITICAL9.3Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak6/17/2026
HIGH7.5handlebars.java FileTemplateLoader Path Traversal6/17/2026
HIGH7.6LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector6/17/2026
HIGH8.4pdfkit: Path traversal in from_string6/17/2026
CRITICAL9.1Apache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory6/17/2026
CRITICAL9.1Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks6/17/2026
CRITICAL9.8Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure6/17/2026
HIGH7.7Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects6/17/2026
HIGH7.7Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal6/17/2026
HIGH7.6Open WebUI: Stored XSS to Account Takeover via Model Profile Images6/17/2026
HIGH7.1Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion6/17/2026
HIGH8.7Open WebUI: Stored XSS in Mermaid Markdown Preview6/17/2026
HIGH8.3Open WebUI: Forged chat-file link allows cross-user file read and deletion6/17/2026
HIGH8.5Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)6/17/2026
HIGH8.3yt-dlp: Arbitrary code execution via manifest downloads with aria2c6/16/2026
HIGH8.6Crawl4AI: SSRF via proxy settings in the Docker server bypasses the crawl-URL SSRF check6/16/2026
HIGH7.5Crawl4AI: SSRF filter bypass in Docker server via IPv6 transition forms (NAT64 / 6to4 / unspecified / v4-mapped)6/16/2026
HIGH8.3yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)6/16/2026
CRITICAL9.8Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API6/16/2026
CRITICAL9.1vLLM: OpenAI auth bypass6/16/2026
CRITICAL9.6Langflow: Unauthenticated RCE in Shareable Playgrounds6/16/2026

Page 1 of 307Next →