VulnScope — package-centric CVE lookup- LOW3.2CVE-2026-49356@babel/core: Arbitrary File Read via sourceMappingURL Comment
- MEDIUM6.9Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature
- MEDIUM4.8Netty: QUIC stateless reset token material exposed through header-visible connection IDs
- MEDIUM5.3Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted
- MEDIUM5.4Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization
- CRITICAL9.0Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
- MEDIUM6.5Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
- MEDIUM6.5GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution
- MEDIUM6.7LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access
- MEDIUM5.3@hapi/inert has a static-file confinement bypass via sibling-prefix path
- MEDIUM5.3netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
- MEDIUM5.3joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
- MEDIUM6.5@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
- LOW3.5Papra HTTP redirect bypass can lead to SSRF via webhook delivery system
- MEDIUM6.5In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header
- MEDIUM6.3FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions
- MEDIUM5.3FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString
- MEDIUM5.3Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
- MEDIUM6.8Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port
- MEDIUM4.0Netty: Unix-socket fd receive leaks descriptors when peer sends two at once
- CRITICAL10.0DbGate: Unauthenticated Remote Code Execution via JSON Script Runner
- MEDIUM6.0NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`
- MEDIUM6.1MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
- MEDIUM5.3Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
- MEDIUM5.3Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
← PrevPage 2 of 242Next →