VulnScope — package-centric CVE lookup

Search

11,381 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

MEDIUM5.4CVE-2026-44311Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization6/12/2026
HIGH8.1CVE-2026-48152Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL6/12/2026
HIGH7.5Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema6/12/2026
CRITICAL9.0Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign6/12/2026
—Budibase: Unvalidated VectorDB Host Parameter Enables SSRF6/12/2026
MEDIUM6.5Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker6/12/2026
MEDIUM6.5GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution6/12/2026
HIGH7.2GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page6/12/2026
HIGH7.7Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection6/12/2026
—Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step6/12/2026
MEDIUM6.7LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access6/12/2026
HIGH7.2GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection6/11/2026
—Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion6/11/2026
MEDIUM5.3@hapi/inert has a static-file confinement bypass via sibling-prefix path6/11/2026
MEDIUM5.3netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion6/11/2026
—netty-incubator-codec-ohttp's Incorrect Native Pointer Derivation in Pooled Direct ByteBuf Fallback Leads to Out-of-Bounds Native Memory Access6/11/2026
HIGH7.5@grpc/grpc-js: A malformed request can cause a server crash6/11/2026
HIGH7.5@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash6/11/2026
MEDIUM5.3joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas6/11/2026
HIGH8.8OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri6/11/2026
MEDIUM6.5@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects6/11/2026
—Element Call reports full URLs of visited pages to analytics server6/11/2026
—Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator6/11/2026
—Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload6/10/2026
HIGH7.5Acknowledgement extension out of memory6/10/2026

Page 1 of 456Next →