VulnScope — package-centric CVE lookup

Search

126 results

Severity:CRITICAL HIGH MEDIUM LOW|Ecosystem:npm PyPI Maven Debian Alpine|⚠ In KEV only

LOW2.2CVE-2026-54327Pi Agent: Race condition in Pi auth.json writes could expose stored credentials6/17/2026
LOW2.5CVE-2026-54326Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass6/16/2026
LOW3.1React Router: Potential CSRF via PUT/PATCH/DELETE document requests6/15/2026
LOW3.2@babel/core: Arbitrary File Read via sourceMappingURL Comment6/15/2026
LOW3.5Papra HTTP redirect bypass can lead to SSRF via webhook delivery system6/10/2026
LOW3.7Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix5/29/2026
LOW2.0NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation5/21/2026
LOW3.7EPSS 0.01%Next.js's Middleware / Proxy redirects can be cache-poisoned5/11/2026
LOW3.7EPSS 0.01%Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting5/11/2026
LOW3.8EPSS 0.02%Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()5/9/2026
LOW3.7EPSS 0.04%nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)5/7/2026
LOW3.7EPSS 0.02%Flowise: Bcrypt Password Hash Exposure5/6/2026
LOW3.7EPSS 0.06%Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams5/5/2026
LOW2.2EPSS 0.05%Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4)4/23/2026
LOW3.7EPSS 0.03%ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint4/16/2026
LOW3.5EPSS 0.04%DbGate has cross site scripting via the SVG Icon String Handler component4/13/2026
LOW3.7EPSS 0.08%OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths4/9/2026
LOW3.7EPSS 0.02%LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter4/8/2026
LOW3.7EPSS 0.03%Parse Server has a login timing side-channel reveals user existence4/8/2026
LOW3.7EPSS 0.04%OpenClaw: Shared-secret comparison call sites leaked length information through timing4/7/2026
LOW2.8EPSS 0.01%Electron: Crash in clipboard.readImage() on malformed clipboard image data4/7/2026
LOW2.3EPSS 0.02%Electron: Use-after-free in offscreen shared texture release() callback4/3/2026
LOW3.7EPSS 0.08%OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting4/3/2026
LOW3.9EPSS 0.01%Electron: Unquoted executable path in app.setLoginItemSettings on Windows4/3/2026
LOW3.3EPSS 0.01%Electron: USB device selection not validated against filtered device list4/3/2026

Page 1 of 6Next →