Know every threat before it ships
200K+ vulnerabilities, malicious packages, and supply chain threats enriched with Corgea's research.
CVE-2026-48815
sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced
CVE-2026-32285
Denial of service in github.com/buger/jsonparser
CVE-2026-49852
joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)
CVE-2025-6547
pbkdf2 silently disregards Uint8Array input, returning static keys
CVE-2025-6545
pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
CVE-2026-9673
json-2-csv vulnerable to CSV Injection via the preventCsvInjection optio
CVE-2026-42999
OpenStack Keystone has an Authorization Bypass
CVE-2026-44162
fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3`
CVE-2026-42998
OpenStack Keystone doesn't verify that the user supplied in the authentication request matches the owner of the application credential
CVE-2026-44394
OpenStack Keystone's federated token rescoping mechanism doesn't propagate the original token's expiry to the newly issued token
CVE-2026-48816
sigstore-js has Insufficient Verification of Data Authenticity
CVE-2026-50149
Contour has Improper JWT Verification for Non-SNI Requests on Virtual Hosts with Fallback Certificate Enabled
CVE-2025-14813
Bouncy Castle for Java GOST 28147 CTR mode reuses keystream after 255 blocks
CVE-2026-4372
HuggingFace transformers vulnerable to remote code execution
CVE-2026-43000
OpenStack Keystone has an Incorrect Authorization issue
CVE-2026-54262
CVE-2026-54262
CVE-2026-54260
CVE-2026-54260
CVE-2026-54261
CVE-2026-54261
CVE-2026-54259
CVE-2026-54259
CVE-2026-54263
CVE-2026-54263
CVE-2026-40914
Apache Artemis has an Incorrect Authorization issue
CVE-2026-9828
QOS.CH Sarl logback logback-core has a deserialization of untrusted data vulnerability
CVE-2025-65896
asyncmy is vulnerable to SQL injection via crafted dict keys
CVE-2022-46337
Apache Derby: LDAP injection vulnerability in authenticator
CVE-2026-22740
Spring Framework DoS with Multipart Temp Files in WebFlux
CVE-2026-22741
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.
CVE-2016-4000
Deserialization of Untrusted Data in Jython
CVE-2026-49360
Recce server has unauthenticated SQL execution that allows local file read/write through DuckDB
CVE-2026-46599
golang.org/x/image/tiff has excessive resource consumption in PackBits decompression
CVE-2026-49353
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
CVE-2026-54617
LaunchServer FileServerHandler has an unauthenticated path traversal issue
CVE-2026-10105
agno contains a SQL injection vulnerability
CVE-2026-10108
xiaomusic contains an unauthenticated path traversal vulnerability
CVE-2026-49292
Kiwi TCMS's /init-db/ page renders and responds to requests after first use
CVE-2026-52792
Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename
CVE-2026-35630
OpenClaw: QQBot native approval buttons did not enforce configured approver identity
GHSA-hx4v-668p-g2qr
Duplicate Advisory: OpenClaw: QQBot native approval buttons did not enforce configured approver identity
CVE-2026-49352
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass
CVE-2026-50268
Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding
CVE-2022-42966
cleo is vulnerable to Regular Expression Denial of Service (ReDoS)
CVE-2025-54467
NeuVector process with sensitive arguments lead to leakage
CVE-2026-50201
Steeltoe's sensitive actuators (heapdump/env) only require Restricted permission
CVE-2025-54470
NeuVector telemetry sender is vulnerable to MITM and DoS
CVE-2026-2092
Duplicate Advisory: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
CVE-2026-52830
fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection
CVE-2026-50196
Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch
CVE-2026-50202
Steeltoe's static JWKS cache shared across schemes and never invalidated
CVE-2026-50267
Steeltoe: TLS private keys written to /tmp with default permissions, never deleted
CVE-2026-50200
Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
CVE-2026-50194
Steeltoe vulnerable to management-port isolation bypass via spoofed Host header
CVE-2025-68616
WeasyPrint has a Server-Side Request Forgery (SSRF) Protection Bypass via HTTP Redirect
CVE-2025-53884
NeuVector has an insecure password storage and is vulnerable to rainbow attack
CVE-2025-64715
Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic
CVE-2026-52817
Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments
CVE-2025-30163
Cilium node based network policies may incorrectly allow workload traffic
CVE-2025-8077
NeuVector admin account has insecure default password
GHSA-gj2h-2fpw-fhv9
@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration
GHSA-g6g7-pvmx-m74p
9router: Missing Authorization and OS Command Injection
Ready to move
Start Securing
Free, no credit card | First findings in minutes