Search

4,005 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

MEDIUM6.5CVE-2026-49144browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server6/3/2026
MEDIUM5.4CVE-2026-33244React Router has stored XSS via unescaped Location header in prerendered redirect HTML6/3/2026
MEDIUM5.3CVE-2026-8814EPSS 0.06%ExifReader is vulnerable to denial of service via unbounded decompression of image metadata5/29/2026
MEDIUM4.8CVE-2026-44490axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions5/29/2026
MEDIUM5.5CVE-2026-47144Shamefile has an arbitrary file read via shamefile.yaml in shame next5/28/2026
MEDIUM5.3CVE-2026-44646LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`5/27/2026
MEDIUM6.5CVE-2026-44645LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body5/27/2026
MEDIUM6.1CVE-2026-44644LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS5/27/2026
MEDIUM6.5CVE-2026-44596Yamcs has No Rate Limiting on Authentication Endpoint5/27/2026
MEDIUM4.3CVE-2026-44595Yamcs vulnerable to unauthorized user enumeration via IAM API endpoints5/27/2026
MEDIUM4.3CVE-2026-42568Yamcs Vulnerable to LDAP Injection in LdapAuthModule5/26/2026
MEDIUM6.1CVE-2026-26028EPSS 0.03%CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS5/26/2026
MEDIUM5.4CVE-2026-39964EPSS 0.05%Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers5/26/2026
MEDIUM5.3CVE-2026-8723EPSS 0.04%qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set5/22/2026
MEDIUM5.8CVE-2026-46552NocoDB: Shared-base link access can invite arbitrary users as persistent base members5/21/2026
MEDIUM6.5CVE-2026-46551NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion5/21/2026
MEDIUM5.4CVE-2026-46550NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags5/21/2026
MEDIUM4.3CVE-2026-46548NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)5/21/2026
MEDIUM6.1CVE-2026-46547NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL5/21/2026
MEDIUM6.5CVE-2026-46357HAX CMS: Denial of Service using Malicious Import Request5/19/2026
MEDIUM6.1CVE-2026-46341Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching5/19/2026
MEDIUM4.2CVE-2026-46424EPSS 0.04%Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour5/19/2026
MEDIUM5.3CVE-2026-45740EPSS 0.06%protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion5/19/2026
MEDIUM5.5CVE-2026-45581fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode5/19/2026
MEDIUM5.4CVE-2026-45244EPSS 0.03%Summarize contains a missing authorization vulnerability5/18/2026

Page 1 of 161Next →