VulnScope — package-centric CVE lookup

Search

6,043 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

LOW2.5CVE-2026-54326Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass6/16/2026
CRITICAL10.0n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions6/16/2026
CRITICAL9.9n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints6/16/2026
CRITICAL9.6n8n: Credential Exfiltration via Permission Bypass6/16/2026
MEDIUM5.9n8n: Denial of Service via ZIP decompression in webhook workflow6/16/2026
CRITICAL9.0LobeHub: Unauthenticated SSRF in `/webapi/proxy`6/16/2026
MEDIUM6.3n8n: Merge Node SQL Mode Prototype Pollution6/16/2026
MEDIUM5.4n8n: Prototype Pollution enables confused-deputy execution via public webhooks6/16/2026
CRITICAL9.9n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes6/16/2026
MEDIUM4.2Astro: XSS via Unescaped Attribute Names in Spread Props6/16/2026
MEDIUM5.3@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config6/16/2026
MEDIUM6.5hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`6/16/2026
MEDIUM4.8hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest6/16/2026
MEDIUM5.9hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)6/16/2026
MEDIUM5.3hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice6/16/2026
MEDIUM5.3markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations6/15/2026
MEDIUM5.3OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation6/15/2026
MEDIUM5.3UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`6/15/2026
MEDIUM5.3protobufjs: Memory amplification from preserved unknown fields in binary decode6/15/2026
LOW3.1React Router: Potential CSRF via PUT/PATCH/DELETE document requests6/15/2026
CRITICAL9.8Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE6/15/2026
MEDIUM6.1DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks6/15/2026
MEDIUM6.1DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM6/15/2026
MEDIUM5.3protobufjs : Schema-derived names can shadow runtime-significant properties6/15/2026
MEDIUM5.3JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases6/15/2026

Page 1 of 242Next →