Search

1,644 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

HIGH8.8CVE-2026-49143browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in _log HTTP handler6/3/2026
HIGH7.5CVE-2026-42342React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint6/3/2026
HIGH8.1CVE-2026-42211React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE6/3/2026
HIGH8.0CVE-2026-33245React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets6/3/2026
HIGH8.2CVE-2026-47423DOMPurify XSS via selectedcontent re-clone6/1/2026
HIGH8.6CVE-2026-47139NodeVM network builtin exclusions bypass via internal _http_client and _http_server5/29/2026
HIGH7.5CVE-2026-8813EPSS 0.06%ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag5/29/2026
HIGH8.6CVE-2026-47209vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain5/29/2026
HIGH8.7CVE-2026-47135vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks5/29/2026
HIGH7.0CVE-2026-44495axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge5/29/2026
HIGH8.7CVE-2026-44494axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`5/29/2026
HIGH8.6CVE-2026-44492axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)5/29/2026
HIGH8.7CVE-2026-48527EPSS 0.03%HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint5/29/2026
HIGH7.5CVE-2026-47717FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations5/27/2026
HIGH7.5CVE-2026-45617LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex5/27/2026
HIGH7.5CVE-2026-45357LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)5/27/2026
HIGH7.0CVE-2026-42462Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring5/26/2026
HIGH8.6CVE-2026-42089yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation5/26/2026
HIGH8.7CVE-2026-28445EPSS 0.03%Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview5/26/2026
HIGH7.6CVE-2026-46701Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret5/21/2026
HIGH7.5CVE-2026-46679js-libp2p: Memory DoS via subscription flood of unique topics5/21/2026
HIGH7.5CVE-2026-46625JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection5/21/2026
HIGH8.8CVE-2026-46519MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement5/21/2026
HIGH7.2CVE-2026-46492md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)5/21/2026
HIGH8.5CVE-2026-46372EPSS 2.6%SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl5/19/2026

Page 1 of 66Next →