VulnScope — package-centric CVE lookup

Search

21,031 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

HIGH7.1CVE-2026-53865OpenClaw: Workspace-derived service PATH could influence trash command selection6/18/2026
HIGH7.1OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots6/18/2026
HIGH8.1OpenClaw: Discord allowFrom could bind to mutable display names6/18/2026
HIGH7.1OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install6/18/2026
HIGH7.1OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns6/18/2026
HIGH8.1OpenClaw: Zalo allowFrom could bind to mutable display names6/18/2026
HIGH8.1OpenClaw: Shell positional parameters could weaken strict inline-eval checks6/18/2026
HIGH7.5Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID6/18/2026
LOW3.1BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing6/18/2026
HIGH7.5undici WebSocket client vulnerable to denial of service via cumulative fragment bypass6/18/2026
HIGH7.5http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`6/18/2026
HIGH8.1piscina: Prototype Pollution Gadget → RCE via inherited options.filename6/18/2026
HIGH7.1OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution6/18/2026
HIGH8.1OpenClaw: Shell inline-command parsing could miss an allowlist check6/18/2026
HIGH8.8OpenClaw: Pairing-scoped device session could restore revoked node token authority6/18/2026
HIGH8.1OpenClaw: Host environment sanitizer missed two Node.js control variables6/18/2026
HIGH7.4undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent6/17/2026
LOW3.7Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets.6/17/2026
HIGH7.5HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS6/17/2026
HIGH7.5handlebars.java FileTemplateLoader Path Traversal6/17/2026
HIGH7.6LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector6/17/2026
HIGH8.4pdfkit: Path traversal in from_string6/17/2026
HIGH7.5Multer vulnerable to Denial of Service via deeply nested field names6/17/2026
HIGH7.7Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects6/17/2026
HIGH7.7Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal6/17/2026

Page 1 of 842Next →