Launch Week Day 1: Announcing Security Design Review
Start for Free

Know every threat before it ships

200K+ vulnerabilities, malicious packages, and supply chain threats enriched with Corgea's research.

All npm PyPI Go NuGet crates.io Maven RubyGems

387 vulnerabilities

CRITICAL 9.8
Go

CVE-2026-46614

Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger
CRITICAL 9.1
Go

CVE-2026-48031

Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery
CRITICAL 9.9
Go

CVE-2026-45625

Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs
CRITICAL 9.9
Go

CVE-2026-44881

Portainer Has an Arbitrary File Read via Git Symlink Injection in Stack Auto-Update
CRITICAL 9.9
Go

CVE-2026-44477

CloudNativePG's metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE
CRITICAL 10.0
Go

CVE-2026-45087

Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`
CRITICAL 10.0
Go

CVE-2026-44330

free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions
CRITICAL 9.4
Go

CVE-2026-44315

free5GC's NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions
CRITICAL 9.4
Go

CVE-2026-44326

free5GC's NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions
CRITICAL 10.0
Go

CVE-2026-44327

free5GC's NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler
CRITICAL 9.6
Go

CVE-2026-44985

Dozzle's Cross-Site WebSocket Hijacking (CSWSH) on exec/attach endpointsbypasses authentication
CRITICAL 9.0
Go

CVE-2026-47252

Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin
CRITICAL 9.9
Go

CVE-2026-47724

nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation
CRITICAL 10.0
Go

CVE-2026-44329

free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers
CRITICAL 9.0
Go

CVE-2026-45375

SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
CRITICAL 9.8
Go

CVE-2026-41176

Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution
CRITICAL 9.6
Go

CVE-2025-30215

NATS Server may fail to authorize certain Jetstream admin APIs
CRITICAL 9.1
Go

CVE-2025-66719

Free5gc NRF is vulnerable to scope validation bypass via maliciously crafted targetNF value
CRITICAL 9.8
Go

CVE-2026-45695

Kopia: RCE via SSH ProxyCommand Injection
CRITICAL 9.8
Go

CVE-2026-41179

RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution
CRITICAL 9.9
Go

CVE-2026-46716

Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron
CRITICAL 9.1
Go

CVE-2026-8634

Crabbox: environment variable exposure vulnerability
CRITICAL 10.0
Go

CVE-2026-41070

openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access
CRITICAL 9.8
Go

CVE-2026-42072

NornicDB has Improper Network Binding in its Bolt Server, allowing unauthorized remote access
CRITICAL 9.8
Go

CVE-2025-1974

ingress-nginx admission controller RCE escalation
CRITICAL 9.1
Go

CVE-2026-46354

Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
CRITICAL 9.0
Go

CVE-2026-45721

Algernon: handler.lua discovery walks parent directories above the server root
CRITICAL 10.0
Go

CVE-2026-44523

Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery
CRITICAL 9.8
Go

CVE-2026-42589

Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection
CRITICAL 9.4
Go

CVE-2026-42596

Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
CRITICAL 9.1
Go

CVE-2026-44542

FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion
CRITICAL 9.9
Go

CVE-2026-41050

Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering
CRITICAL 9.8
Go

CVE-2026-41574

Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass
CRITICAL 9.6
Go

GHSA-vw82-7fv8-r6gp

Obot has an authorization bypass in /mcp-connect/{id} that allows any authenticated user to use any registered MCP server
CRITICAL 9.4
Go

CVE-2026-42882

S3-Proxy has Security Issues in its Resource Path Matching Implementation
CRITICAL 9.1
Go

CVE-2026-42560

auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation
CRITICAL 9.1
Go

CVE-2026-7482

Ollama contains a heap out-of-bounds read vulnerability in the GGUF model loader
CRITICAL 9.6
Go

CVE-2026-42880

ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
CRITICAL 9.1
Go

CVE-2026-41327

Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field
CRITICAL 9.1
Go

CVE-2026-41328

Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field
CRITICAL 9.8
Go

CVE-2026-41492

Dgraph: Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars
CRITICAL 9.6
Go

CVE-2026-41589

Wish has SCP Path Traversal that allows arbitrary file read/write
CRITICAL 10.0
Go

CVE-2026-40281

Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix)
CRITICAL 9.8
Go

CVE-2026-39087

ntfy.sh allows a remote attacker to execute arbitrary code via the parseActions function
CRITICAL 9.3
Go

CVE-2026-40280

Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
CRITICAL 9.4
Go

CVE-2026-41571

Note Mark: OIDC-registered users authenticated by submitting password "null"
CRITICAL 9.1
Go

GHSA-9h64-2846-7x7f

Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening
CRITICAL 10.0
Go

CVE-2026-39858

Traefik: Pre-authentication decision bypass due to forwarded alias spoofing
CRITICAL 10.0
Go

CVE-2026-35051

Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication
CRITICAL 9.8
Go

CVE-2026-42238

Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore
CRITICAL 9.8
Go

CVE-2025-8077

NeuVector admin account has insecure default password
CRITICAL 9.8
Go

GHSA-xhj4-g6w8-2xjw

go-zserio has Unbounded Memory Allocation for All Platforms
CRITICAL 9.1
Go

CVE-2026-6290

Velociraptor vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token
CRITICAL 9.1
Go

CVE-2025-41118

Pyroscope Exposes Storage Secret
CRITICAL 9.4
Go

CVE-2026-40173

Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints
CRITICAL 9.8
Go

CVE-2026-40884

goshs has an empty-username SFTP password authentication bypass
CRITICAL 9.1
Go

CVE-2026-40575

OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing
CRITICAL 9.8
Go

CVE-2026-33032

nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
CRITICAL 9.8
Go

CVE-2026-32769

Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace
CRITICAL 9.6
Go

CVE-2026-30924

qui CORS Misconfiguration: Arbitrary Origins Trusted

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes