VulnScope — package-centric CVE lookup

Search

5,329 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

CRITICAL9.6CVE-2026-55447Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit6/19/2026
HIGH7.5CVE-2026-55446Langflow: Unauthenticated DoS through multipart form boundary file upload6/19/2026
MEDIUM6.1Langflow: Logout button does not clear session6/19/2026
CRITICAL9.9Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow6/19/2026
—py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()6/19/2026
—py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size6/19/2026
MEDIUM6.8dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens6/19/2026
MEDIUM6.5UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()6/19/2026
—Python Liquid: Infinite loop when parsing malformed `{% case %}` tags6/19/2026
HIGH7.1jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories6/19/2026
—jupyterlab-git extension: Stored XSS leading to RCE6/19/2026
HIGH7.5Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders6/19/2026
HIGH7.6Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN6/19/2026
HIGH8.0py7zr: Arbitrary File Write Vulnerability6/19/2026
HIGH7.3Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()6/19/2026
—PGHoard: Password written to debug log6/18/2026
HIGH7.5Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID6/18/2026
—Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP6/18/2026
LOW2.2BBOT: Symlink-Following Arbitrary Write via github_workflows Module6/18/2026
MEDIUM6.5BBOT: Arbitrary File Write in postman_download Module6/18/2026
LOW3.1BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing6/18/2026
MEDIUM5.3BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-102846/18/2026
CRITICAL9.8python-statemachine SCXML <data expr> Eval Injection6/18/2026
MEDIUM6.1marimo contains a reflected cross-site scripting vulnerability in the notebook page6/18/2026
MEDIUM5.5Hermes Agent creates response_store.db and webhook_subscriptions.json with world-readable permissions (mode 0o644)6/17/2026

Page 1 of 214Next →