VulnScope — package-centric CVE lookup

Search

4,092 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

HIGH8.3CVE-2026-50574yt-dlp: Arbitrary code execution via manifest downloads with aria2c6/16/2026
HIGH8.6Crawl4AI: SSRF via proxy settings in the Docker server bypasses the crawl-URL SSRF check6/16/2026
HIGH7.5Crawl4AI: SSRF filter bypass in Docker server via IPv6 transition forms (NAT64 / 6to4 / unspecified / v4-mapped)6/16/2026
HIGH8.3yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)6/16/2026
MEDIUM6.1yt-dlp: File Downloader cookie leak with curl6/16/2026
MEDIUM6.1Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read6/16/2026
MEDIUM6.5Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint6/16/2026
HIGH7.5vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution6/16/2026
HIGH8.8Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints6/16/2026
HIGH7.5Natural Language Toolkit (NLTK): URL-Encoded Path Traversal in nltk.data.load() Allows Arbitrary Local File Read6/16/2026
HIGH7.5Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS6/15/2026
LOW3.7Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname6/15/2026
HIGH7.5python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service6/15/2026
LOW3.7python-multipart: Negative Content-Length in parse_form buffers the entire body in memory6/15/2026
LOW3.7python-multipart: Semicolon treated as querystring field separator enables parameter smuggling6/15/2026
LOW3.7python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters6/15/2026
HIGH7.7Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient6/15/2026
HIGH7.5tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)6/15/2026
HIGH7.5Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows6/15/2026
MEDIUM5.3Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`6/15/2026
LOW3.7Tornado has out-of-bounds memory access via C extension6/12/2026
HIGH7.1WsgiDAV encoded dot segments can escape filesystem share roots6/11/2026
MEDIUM5.8Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset6/11/2026
MEDIUM6.5python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood6/11/2026
MEDIUM5.9Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header6/10/2026

Page 1 of 164Next →