VulnScope — package-centric CVE lookup

Search

20,876 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

MEDIUM4.4CVE-2026-55650Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure6/19/2026
CRITICAL9.6Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit6/19/2026
HIGH7.5Langflow: Unauthenticated DoS through multipart form boundary file upload6/19/2026
MEDIUM6.1Langflow: Logout button does not clear session6/19/2026
CRITICAL9.9Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow6/19/2026
—py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()6/19/2026
—py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size6/19/2026
MEDIUM6.1Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering6/19/2026
MEDIUM6.2Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read6/19/2026
MEDIUM6.8dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens6/19/2026
—TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover6/19/2026
HIGH7.8@tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration — unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels6/19/2026
HIGH7.5flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key6/19/2026
—@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument6/19/2026
MEDIUM6.5UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()6/19/2026
—Python Liquid: Infinite loop when parsing malformed `{% case %}` tags6/19/2026
—parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist6/19/2026
HIGH7.1jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories6/19/2026
—jupyterlab-git extension: Stored XSS leading to RCE6/19/2026
HIGH7.5Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders6/19/2026
HIGH7.6Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN6/19/2026
HIGH8.0py7zr: Arbitrary File Write Vulnerability6/19/2026
HIGH7.3Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()6/19/2026
HIGH8.8CedarJava has policy injection vulnerability6/19/2026
HIGH8.8CedarJava has type confusion vulnerability6/19/2026

Page 1 of 836Next →