VulnScope — package-centric CVE lookup

Search

6,693 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

MEDIUM5.3CVE-2026-9595webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies6/17/2026
MEDIUM5.3Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads6/17/2026
MEDIUM5.3Open WebUI: Any authenticated user can read other users' private notes via Socket.IO6/17/2026
MEDIUM6.3Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter6/17/2026
MEDIUM6.5Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode6/17/2026
MEDIUM4.3Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration6/17/2026
MEDIUM6.4Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion6/17/2026
MEDIUM4.3Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}6/17/2026
MEDIUM6.5Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field6/17/2026
MEDIUM4.3Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar6/17/2026
MEDIUM6.5vLLM: OOM Denial of Service via Audio Decompression Bomb6/17/2026
MEDIUM6.1Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory6/17/2026
MEDIUM4.4Pi Agent: Pi loads project-local extensions without approval6/17/2026
LOW2.2Pi Agent: Race condition in Pi auth.json writes could expose stored credentials6/17/2026
LOW2.5Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass6/16/2026
MEDIUM5.9n8n: Denial of Service via ZIP decompression in webhook workflow6/16/2026
MEDIUM5.4OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints6/16/2026
MEDIUM6.1yt-dlp: File Downloader cookie leak with curl6/16/2026
MEDIUM6.3n8n: Merge Node SQL Mode Prototype Pollution6/16/2026
MEDIUM5.4n8n: Prototype Pollution enables confused-deputy execution via public webhooks6/16/2026
MEDIUM6.1Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read6/16/2026
MEDIUM6.5Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint6/16/2026
MEDIUM4.2Astro: XSS via Unescaped Attribute Names in Spread Props6/16/2026
MEDIUM5.3@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config6/16/2026
MEDIUM6.5hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`6/16/2026

Page 1 of 268Next →