Know every threat before it ships
200K+ vulnerabilities, malicious packages, and supply chain threats enriched with Corgea's research.
MEDIUM 5.3
CVE-2026-48049
@hapi/inert has a static-file confinement bypass via sibling-prefix path
HIGH 8.1
CVE-2026-45013
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation
UNKNOWN
CVE-2026-47248
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers
HIGH 7.3
CVE-2026-45011
Apostrophe has stored XSS via javascript: URL in Image Widget Link
UNKNOWN
CVE-2026-47138
Parse Server: Pre-authentication denial of service via client version header regex backtracking
UNKNOWN
CVE-2026-42890
actual Allows Electron to Run As Node
CRITICAL 9.3
CVE-2026-44990
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
UNKNOWN
CVE-2026-50287
@agenticmail/mcp Missing Authentication for Critical Function
MEDIUM 6.5
CVE-2026-42853
@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input
HIGH 7.6
CVE-2026-45012
Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget
MEDIUM 6.5
CVE-2026-48022
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
CRITICAL 10.0
CVE-2026-47140
NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
MEDIUM 5.4
CVE-2026-44311
Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization
UNKNOWN
CVE-2026-47430
Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews.
CRITICAL 10.0
CVE-2026-47131
vm2 has a Sandbox Escape issue
CRITICAL 9.8
CVE-2026-47210
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
CRITICAL 10.0
CVE-2026-47208
vm2 is Vulnerable to Sandbox Breakout Through Promise Species
CRITICAL 10.0
CVE-2026-47137
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
HIGH 8.1
GHSA-gv7w-rqvm-qjhr
esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY
LOW 2.5
GHSA-g7r4-m6w7-qqqr
esbuild allows arbitrary file read when running the development server on Windows
HIGH 8.8
CVE-2026-46475
FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
UNKNOWN
CVE-2026-46342
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
UNKNOWN
CVE-2026-47200
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
HIGH 8.6
CVE-2026-47209
vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
HIGH 8.7
CVE-2026-47135
vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks
HIGH 8.6
CVE-2026-47139
NodeVM network builtin exclusions bypass via internal _http_client and _http_server
UNKNOWN
CVE-2026-47141
NodeVM observability builtins leak host process and HTTP request data
UNKNOWN
CVE-2026-45669
Nuxt: Reflected XSS in `navigateTo()` external redirect
HIGH 8.8
CVE-2026-46519
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
LOW 3.7
CVE-2026-44489
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
MEDIUM 4.8
CVE-2026-44490
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
HIGH 7.0
CVE-2026-44495
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
HIGH 8.7
CVE-2026-44494
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
UNKNOWN
CVE-2026-45670
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
MEDIUM 5.3
CVE-2026-48038
joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
UNKNOWN
CVE-2026-44487
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
HIGH 7.5
CVE-2026-44486
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
UNKNOWN
CVE-2026-53926
NocoDB: OAuth Tokens Persist Through Security Events
UNKNOWN
CVE-2026-44705
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
HIGH 7.5
CVE-2026-44488
Allocation of Resources Without Limits or Throttling in Axios
MEDIUM 6.1
CVE-2026-47250
MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
CRITICAL 9.0
CVE-2026-48150
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
UNKNOWN
CVE-2026-48148
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF
HIGH 7.5
CVE-2026-48151
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema
HIGH 8.1
CVE-2026-48152
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL
MEDIUM 6.5
CVE-2026-48147
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
UNKNOWN
CVE-2026-48128
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step
HIGH 7.7
CVE-2026-48146
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection
MEDIUM 6.7
CVE-2026-48121
LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access
HIGH 7.5
CVE-2026-48069
@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash
HIGH 7.5
CVE-2026-48068
@grpc/grpc-js: A malformed request can cause a server crash
HIGH 7.5
CVE-2023-2968
proxy denial of service vulnerability
MEDIUM 5.4
CVE-2022-25037
wangEditor was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function
CRITICAL 9.8
CVE-2024-30564
@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability
MEDIUM 6.1
CVE-2024-28635
Cross-site scripting in Survey Creator
HIGH 7.5
CVE-2026-46679
js-libp2p: Memory DoS via subscription flood of unique topics
HIGH 7.5
CVE-2026-46625
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
HIGH 8.8
CVE-2026-46444
FlowiseAI: Vector Store No Permission Checks
HIGH 7.5
CVE-2026-45783
@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
MEDIUM 6.1
CVE-2026-30691
@cyntler/react-doc-viewer's TXTRenderer fails to sanitize file content and explicitly casts raw data as a ReactNode
Ready to move
Start Securing
Free, no credit card | First findings in minutes