NuGet vulnerabilities | Corgea Advisories

CRITICAL 9.8

NuGet

CVE-2026-45288

Marten has an injection vulnerability in its full-text search regConfig parameter

May 14, 2026

CRITICAL 9.8

NuGet

CVE-2026-32179

MsQuic has a Remote Elevation of Privilege Vulnerability

Apr 16, 2026

CRITICAL 9.1

NuGet

CVE-2026-40324

ChilliCream GraphQL Platform: Utf8GraphQLParser Stack Overflow via Deeply Nested GraphQL Documents

Apr 16, 2026

CRITICAL 9.1

NuGet

CVE-2026-40372

Microsoft Security Advisory CVE-2026-40372 – ASP.NET Core Elevation of Privilege

Apr 23, 2026

CRITICAL 9.1

NuGet

GHSA-5wr9-m6jw-xx44

Scriban: Sandbox escape due to TypedObjectAccessorcache bypassing MemberFilter after TemplateContext reuse

Mar 24, 2026

CRITICAL 9.8

NuGet

CVE-2021-23427

Imporoper path validation in elFinder.NetCore

Sep 2, 2021

CRITICAL 9.8

NuGet

CVE-2024-43498

.NET Remote Code Execution Vulnerability

Nov 12, 2024

CRITICAL 9.1

NuGet

CVE-2024-0057

NuGet Client Security Feature Bypass Vulnerability

Feb 13, 2024

CRITICAL 9.9

NuGet

CVE-2025-55315

Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability

Oct 14, 2025

CRITICAL 9.8

NuGet

CVE-2021-23758

Duplicate Advisory: Remote Code Execution in AjaxNetProfessional

Dec 16, 2021

CRITICAL 9.9

NuGet

CVE-2025-68924

UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation

Jan 13, 2026

CRITICAL 10.0

NuGet

CVE-2025-67288

Umbraco CMS has an arbitrary file upload vulnerability

Dec 22, 2025

CRITICAL 9.1

NuGet

CVE-2026-24838

DotNetNuke.Core Vulnerable to Stored XSS via Module Title

Jan 28, 2026

CRITICAL 9.8

NuGet

CVE-2025-54539

Apache ActiveMQ NMS AMQP Client has a Deserialization of Untrusted Data vulnerability

Oct 16, 2025

CRITICAL 10.0

NuGet

CVE-2025-64095

DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite

Oct 29, 2025

CRITICAL 9.0

NuGet

CVE-2025-59545

DNN Vulnerable to Stored Cross-Site Scripting (XSS) in the Prompt module

Sep 23, 2025

CRITICAL 9.2

NuGet

CVE-2025-43858

YoutubeDLSharp allows command injection on windows system due to non sanitized arguments

Apr 23, 2025

CRITICAL 9.8

NuGet

CVE-2025-29953

Apache ActiveMQ NMS OpenWire Client Deserialization of Untrusted Data vulnerability

Apr 18, 2025

CRITICAL 9.8

NuGet

CVE-2019-12277

Blogifier does not properly restrict APIs

May 24, 2022

CRITICAL 9.8

NuGet

CVE-2021-46703

Code injection in RazorEngine

Mar 7, 2022

CRITICAL 9.1

NuGet

CVE-2025-24895

AspNetCore Remote Authenticator for CIE3.0 Allows SAML Response Signature Verification Bypass

Feb 18, 2025

CRITICAL 9.1

NuGet

CVE-2025-24894

The AspNetCore Remote Authenticator for SPID Allows SAML Response Signature Verification Bypass

Feb 18, 2025

CRITICAL 9.8

NuGet

CVE-2021-26701

.NET Core Remote Code Execution Vulnerability

Apr 21, 2021

CRITICAL 9.8

NuGet

GHSA-7r36-jf3c-jhp4

Duplicate Advisory: tgstation-server vulnerable to cached user logins in legacy server

May 13, 2022

CRITICAL 9.8

NuGet

CVE-2015-2794

The installation wizard in DotNetNuke (DNN) allows privilege escalation

Oct 16, 2018

CRITICAL 9.8

NuGet

CVE-2021-24112

.NET Core Remote Code Execution Vulnerability

May 24, 2022

CRITICAL 9.8

NuGet

CVE-2024-48510

DotNetZip Directory Traversal vulnerability

Nov 13, 2024

CRITICAL 9.8

NuGet

GHSA-8rxm-6783-qh55

Duplicate Advisory: .NET and Visual Studio Remote Code Execution Vulnerability

Nov 12, 2024

CRITICAL 9.8

NuGet

CVE-2024-51501

CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes

Nov 4, 2024

CRITICAL 9.8

NuGet

CVE-2024-28698

CLSA Directory Traversal vulnerability

Jul 22, 2024

CRITICAL 9.1

NuGet

GHSA-jw42-5m4v-9c8g

Duplicate Advisory: NuGet Client Security Feature Bypass Vulnerability

Jan 9, 2024

CRITICAL 9.8

NuGet

CVE-2014-4172

Jasig Java CAS Client, .NET CAS Client, and phpCAS contain URL parameter injection vulnerability

May 17, 2022

CRITICAL 9.8

NuGet

CVE-2018-1285

XML External Entity attack in log4net

Jan 29, 2021

CRITICAL 9.8

NuGet

CVE-2018-1000120

curl FTP path confusion leads to NIL byte out of bounds write

May 14, 2022

CRITICAL 9.8

NuGet

CVE-2023-32571

Dynamic Linq vulnerable to remote code execution

Jun 22, 2023

CRITICAL 9.8

NuGet

CVE-2019-15151

Double Free in Adplug

Mar 29, 2021

CRITICAL 9.8

NuGet

CVE-2019-9845

MadsKristensen.AspNetCore.Miniblog subject to Improper Input Validation

Jul 5, 2019

CRITICAL 9.1

NuGet

CVE-2021-29508

Insecure deserialization in Wire

May 19, 2021

CRITICAL 9.8

NuGet

CVE-2021-43569

Improper Verification of Cryptographic Signature in starkbank-ecdsa

Nov 10, 2021

CRITICAL 9.8

NuGet

CVE-2017-0223

ChakraCore RCE Vulnerability

May 17, 2022

CRITICAL 9.8

NuGet

CVE-2020-20136

QuantConnect Lean vulnerable to insecure deserialization

May 24, 2022

CRITICAL 9.8

NuGet

CVE-2019-20627

AutoUpdater.NET allows XXE

May 24, 2022

CRITICAL 9.8

NuGet

CVE-2017-8658

ChakraCore RCE Vulnerability

May 17, 2022

CRITICAL 9.8

NuGet

CVE-2021-33318

Improper Input Validation in IpMatcher

May 17, 2022

CRITICAL 9.8

NuGet

CVE-2018-8500

ChakraCore RCE Vulnerability

May 13, 2022

CRITICAL 9.8

NuGet

CVE-2017-0252

ChakraCore RCE Vulnerability

May 17, 2022

CRITICAL 9.8

NuGet

CVE-2017-11767

ChakraCore vulnerable to privilege escalation

May 13, 2022

CRITICAL 9.0

NuGet

CVE-2022-39256

Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.

Sep 30, 2022

CRITICAL 9.8

NuGet

CVE-2022-35540

Use of Hard-coded Credentials in AgileConfig.Client

Aug 19, 2022

CRITICAL 9.8

NuGet

CVE-2022-23535

LiteDB may deserialize bad JSON on object type using _type

Feb 24, 2023

CRITICAL 9.8

NuGet

CVE-2022-0749

Deserialization of Untrusted Data in SinGooCMS.Utility

Mar 18, 2022

CRITICAL 9.8

NuGet

CVE-2021-4248

DNS NuGet package uses insufficiently random values

Dec 18, 2022

CRITICAL 9.8

NuGet

CVE-2021-31819

Remote Code Execution in Halibut

Sep 23, 2021

CRITICAL 9.8

NuGet

CVE-2020-27998

Missing Authorization in FastReport

Aug 2, 2021

CRITICAL 9.8

NuGet

CVE-2019-7644

Critical severity vulnerability that affects Auth0-WCF-Service-JWT

Apr 18, 2019

CRITICAL 9.8

NuGet

CVE-2017-9785

Deserialization of Untrusted Data in NancyFX Nancy

May 17, 2022

CRITICAL 9.8

NuGet

CVE-2017-9246

New Relic .NET Agent contains SQL Injection

May 17, 2022

Know every threat before it ships

Marten has an injection vulnerability in its full-text search regConfig parameter

MsQuic has a Remote Elevation of Privilege Vulnerability

ChilliCream GraphQL Platform: Utf8GraphQLParser Stack Overflow via Deeply Nested GraphQL Documents

Microsoft Security Advisory CVE-2026-40372 – ASP.NET Core Elevation of Privilege

Scriban: Sandbox escape due to TypedObjectAccessorcache bypassing MemberFilter after TemplateContext reuse

Imporoper path validation in elFinder.NetCore

.NET Remote Code Execution Vulnerability

NuGet Client Security Feature Bypass Vulnerability

Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability

Duplicate Advisory: Remote Code Execution in AjaxNetProfessional

UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation

Umbraco CMS has an arbitrary file upload vulnerability

DotNetNuke.Core Vulnerable to Stored XSS via Module Title

Apache ActiveMQ NMS AMQP Client has a Deserialization of Untrusted Data vulnerability

DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite

DNN Vulnerable to Stored Cross-Site Scripting (XSS) in the Prompt module

YoutubeDLSharp allows command injection on windows system due to non sanitized arguments

Apache ActiveMQ NMS OpenWire Client Deserialization of Untrusted Data vulnerability

Blogifier does not properly restrict APIs

Code injection in RazorEngine

AspNetCore Remote Authenticator for CIE3.0 Allows SAML Response Signature Verification Bypass

The AspNetCore Remote Authenticator for SPID Allows SAML Response Signature Verification Bypass

.NET Core Remote Code Execution Vulnerability

Duplicate Advisory: tgstation-server vulnerable to cached user logins in legacy server

The installation wizard in DotNetNuke (DNN) allows privilege escalation

.NET Core Remote Code Execution Vulnerability

DotNetZip Directory Traversal vulnerability

Duplicate Advisory: .NET and Visual Studio Remote Code Execution Vulnerability

CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes

CLSA Directory Traversal vulnerability

Duplicate Advisory: NuGet Client Security Feature Bypass Vulnerability

Jasig Java CAS Client, .NET CAS Client, and phpCAS contain URL parameter injection vulnerability

XML External Entity attack in log4net

curl FTP path confusion leads to NIL byte out of bounds write

Dynamic Linq vulnerable to remote code execution

Double Free in Adplug

MadsKristensen.AspNetCore.Miniblog subject to Improper Input Validation

Insecure deserialization in Wire

Improper Verification of Cryptographic Signature in starkbank-ecdsa

ChakraCore RCE Vulnerability

QuantConnect Lean vulnerable to insecure deserialization

AutoUpdater.NET allows XXE

ChakraCore RCE Vulnerability

Improper Input Validation in IpMatcher

ChakraCore RCE Vulnerability

ChakraCore RCE Vulnerability

ChakraCore vulnerable to privilege escalation

Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.

Use of Hard-coded Credentials in AgileConfig.Client

LiteDB may deserialize bad JSON on object type using _type

Deserialization of Untrusted Data in SinGooCMS.Utility

DNS NuGet package uses insufficiently random values

Remote Code Execution in Halibut

Missing Authorization in FastReport

Critical severity vulnerability that affects Auth0-WCF-Service-JWT

Deserialization of Untrusted Data in NancyFX Nancy

New Relic .NET Agent contains SQL Injection

Start Securing