VulnScope — package-centric CVE lookup

Search

869 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

CRITICAL9.8CVE-2026-0755gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)6/18/2026
LOW2.2Pi Agent: Race condition in Pi auth.json writes could expose stored credentials6/17/2026
LOW2.5Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass6/16/2026
CRITICAL10.0n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions6/16/2026
CRITICAL9.9n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints6/16/2026
CRITICAL9.6n8n: Credential Exfiltration via Permission Bypass6/16/2026
CRITICAL9.0LobeHub: Unauthenticated SSRF in `/webapi/proxy`6/16/2026
CRITICAL9.9n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes6/16/2026
LOW3.1React Router: Potential CSRF via PUT/PATCH/DELETE document requests6/15/2026
CRITICAL9.8Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE6/15/2026
LOW3.2@babel/core: Arbitrary File Read via sourceMappingURL Comment6/15/2026
CRITICAL9.0Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign6/12/2026
LOW3.5Papra HTTP redirect bypass can lead to SSRF via webhook delivery system6/10/2026
CRITICAL10.0DbGate: Unauthenticated Remote Code Execution via JSON Script Runner6/5/2026
CRITICAL9.6Vitest browser mode serves unsanitized otelCarrier query parameter as inline script6/1/2026
CRITICAL9.8When Vitest UI server is listening, arbitrary file can be read and executed6/1/2026
CRITICAL10.0NodeVM builtin denylist bypass via process and inspector/promises allows host code execution5/29/2026
CRITICAL9.8vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass5/29/2026
CRITICAL10.0vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE5/29/2026
CRITICAL10.0vm2 is Vulnerable to Sandbox Breakout Through Promise Species5/29/2026
CRITICAL10.0vm2 has a Sandbox Escape issue5/29/2026
LOW3.7Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix5/29/2026
CRITICAL10.0LiquidJS is Vulnerable to Remote Code Execution5/27/2026
CRITICAL9.6OCI layer symlink escape → arbitrary host write5/21/2026
CRITICAL10.0Read-only volume remount bypass via guest CAP_SYS_ADMIN5/21/2026

Page 1 of 35Next →