Know every threat before it ships

200K+ vulnerabilities, malicious packages, and supply chain threats enriched with Corgea's research.

33,166 vulnerabilities

HIGH 7.5
npm

CVE-2026-48815

sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced

UNKNOWN
Go

CVE-2026-32285

Denial of service in github.com/buger/jsonparser

UNKNOWN
PyPI

CVE-2026-49852

joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)

UNKNOWN
npm

CVE-2025-6547

pbkdf2 silently disregards Uint8Array input, returning static keys

UNKNOWN
npm

CVE-2025-6545

pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos

MEDIUM 6.8
npm

CVE-2026-9673

json-2-csv vulnerable to CSV Injection via the preventCsvInjection optio

MEDIUM 6.0
PyPI

CVE-2026-42999

OpenStack Keystone has an Authorization Bypass

LOW 2.7
RubyGems

CVE-2026-44162

fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3`

MEDIUM 6.0
PyPI

CVE-2026-42998

OpenStack Keystone doesn't verify that the user supplied in the authentication request matches the owner of the application credential

MEDIUM 6.0
PyPI

CVE-2026-44394

OpenStack Keystone's federated token rescoping mechanism doesn't propagate the original token's expiry to the newly issued token

MEDIUM 6.5
npm

CVE-2026-48816

sigstore-js has Insufficient Verification of Data Authenticity

MEDIUM 6.5
Go

CVE-2026-50149

Contour has Improper JWT Verification for Non-SNI Requests on Virtual Hosts with Fallback Certificate Enabled

UNKNOWN
Maven

CVE-2025-14813

Bouncy Castle for Java GOST 28147 CTR mode reuses keystream after 255 blocks

HIGH 7.8
PyPI

CVE-2026-4372

HuggingFace transformers vulnerable to remote code execution

MEDIUM 6.0
PyPI

CVE-2026-43000

OpenStack Keystone has an Incorrect Authorization issue

MEDIUM 4.3
PyPI

CVE-2026-54262

CVE-2026-54262

LOW 2.7
PyPI

CVE-2026-54260

CVE-2026-54260

MEDIUM 6.5
PyPI

CVE-2026-54261

CVE-2026-54261

MEDIUM 4.3
PyPI

CVE-2026-54259

CVE-2026-54259

HIGH 7.3
PyPI

CVE-2026-54263

CVE-2026-54263

MEDIUM 4.3
Maven

CVE-2026-40914

Apache Artemis has an Incorrect Authorization issue

UNKNOWN
Maven

CVE-2026-9828

QOS.CH Sarl logback logback-core has a deserialization of untrusted data vulnerability

CRITICAL 9.8
PyPI

CVE-2025-65896

asyncmy is vulnerable to SQL injection via crafted dict keys

CRITICAL 9.8
Maven

CVE-2022-46337

Apache Derby: LDAP injection vulnerability in authenticator

MEDIUM 6.5
Maven

CVE-2026-22740

Spring Framework DoS with Multipart Temp Files in WebFlux

LOW 3.1
Maven

CVE-2026-22741

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.

CRITICAL 9.8
Maven

CVE-2016-4000

Deserialization of Untrusted Data in Jython

UNKNOWN
PyPI

CVE-2026-49360

Recce server has unauthenticated SQL execution that allows local file read/write through DuckDB

HIGH 7.5
Go

CVE-2026-46599

golang.org/x/image/tiff has excessive resource consumption in PackBits decompression

HIGH 7.5
npm

CVE-2026-49353

9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING

CRITICAL 9.8
Maven

CVE-2026-54617

LaunchServer FileServerHandler has an unauthenticated path traversal issue

HIGH 8.3
PyPI

CVE-2026-10105

agno contains a SQL injection vulnerability

HIGH 7.5
PyPI

CVE-2026-10108

xiaomusic contains an unauthenticated path traversal vulnerability

UNKNOWN
PyPI

CVE-2026-49292

Kiwi TCMS's /init-db/ page renders and responds to requests after first use

UNKNOWN
Go

CVE-2026-52792

Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename

HIGH 8.0
npm

CVE-2026-35630

OpenClaw: QQBot native approval buttons did not enforce configured approver identity

HIGH 8.0
npm

GHSA-hx4v-668p-g2qr

Duplicate Advisory: OpenClaw: QQBot native approval buttons did not enforce configured approver identity

CRITICAL 9.8
npm

CVE-2026-49352

9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass

LOW 1.9
NuGet

CVE-2026-50268

Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding

MEDIUM 5.9
PyPI

CVE-2022-42966

cleo is vulnerable to Regular Expression Denial of Service (ReDoS)

MEDIUM 5.3
Go

CVE-2025-54467

NeuVector process with sensitive arguments lead to leakage

MEDIUM 6.5
NuGet

CVE-2026-50201

Steeltoe's sensitive actuators (heapdump/env) only require Restricted permission

HIGH 8.6
Go

CVE-2025-54470

NeuVector telemetry sender is vulnerable to MITM and DoS

HIGH 7.7
Maven

CVE-2026-2092

Duplicate Advisory: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions

CRITICAL 9.4
PyPI

CVE-2026-52830

fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection

HIGH 7.5
NuGet

CVE-2026-50196

Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch

MEDIUM 5.9
NuGet

CVE-2026-50202

Steeltoe's static JWKS cache shared across schemes and never invalidated

MEDIUM 4.7
NuGet

CVE-2026-50267

Steeltoe: TLS private keys written to /tmp with default permissions, never deleted

HIGH 7.5
NuGet

CVE-2026-50200

Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords

HIGH 8.2
NuGet

CVE-2026-50194

Steeltoe vulnerable to management-port isolation bypass via spoofed Host header

HIGH 7.5
PyPI

CVE-2025-68616

WeasyPrint has a Server-Side Request Forgery (SSRF) Protection Bypass via HTTP Redirect

MEDIUM 5.3
Go

CVE-2025-53884

NeuVector has an insecure password storage and is vulnerable to rainbow attack

MEDIUM 4.0
Go

CVE-2025-64715

Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic

UNKNOWN
PyPI

CVE-2026-52817

Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments

LOW 3.4
Go

CVE-2025-30163

Cilium node based network policies may incorrectly allow workload traffic

CRITICAL 9.8
Go

CVE-2025-8077

NeuVector admin account has insecure default password

UNKNOWN
npm

GHSA-gj2h-2fpw-fhv9

@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration

UNKNOWN
npm

GHSA-g6g7-pvmx-m74p

9router: Missing Authorization and OS Command Injection

Ready to move

Start Securing

Free, no credit card | First findings in minutes