Know every threat before it ships
200K+ vulnerabilities, malicious packages, and supply chain threats enriched with Corgea's research.
CRITICAL 9.3
CVE-2026-44990
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
CRITICAL 10.0
CVE-2026-47140
NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
CRITICAL 10.0
CVE-2026-47131
vm2 has a Sandbox Escape issue
CRITICAL 9.8
CVE-2026-47210
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
CRITICAL 10.0
CVE-2026-47208
vm2 is Vulnerable to Sandbox Breakout Through Promise Species
CRITICAL 10.0
CVE-2026-47137
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
CRITICAL 9.0
CVE-2026-48150
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
CRITICAL 9.8
CVE-2024-30564
@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability
CRITICAL 9.8
CVE-2026-42074
OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
CRITICAL 9.6
CVE-2026-44211
Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability
CRITICAL 9.1
CVE-2026-33808
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
CRITICAL 9.8
CVE-2026-44649
SillyTavern has Authentication Bypass via SSO Header Injection
CRITICAL 10.0
CVE-2026-43898
SandboxJS has a sandbox escape via Function.caller leakage of internal call op
CRITICAL 9.6
CVE-2026-45321
Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
CRITICAL 9.4
CVE-2026-26980
Ghost has a SQL injection in Content API
CRITICAL 9.8
CVE-2026-47429
When Vitest UI server is listening, arbitrary file can be read and executed
CRITICAL 9.8
CVE-2018-1000620
Insufficient Entropy in cryptiles
CRITICAL 9.8
CVE-2026-26956
VM2 Has a WASM Sandbox Escape
CRITICAL 10.0
CVE-2026-47668
DbGate: Unauthenticated Remote Code Execution via JSON Script Runner
CRITICAL 10.0
CVE-2026-45618
LiquidJS is Vulnerable to Remote Code Execution
CRITICAL 9.6
GHSA-jpvj-wpmj-h7rv
Supply chain compromise via malicious @cap-js/openapi
CRITICAL 9.6
CVE-2026-47428
Vitest browser mode serves unsanitized otelCarrier query parameter as inline script
CRITICAL 9.8
CVE-2026-45772
Turbo: Unexpected local code execution during Yarn Berry detection
CRITICAL 9.8
CVE-2026-6951
simple-git is vulnerable to Remote Code Execution
CRITICAL 9.8
CVE-2020-23256
electerm allows unauthorized users to execute arbitrary commands
CRITICAL 10.0
CVE-2026-46412
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm
CRITICAL 10.0
CVE-2026-46339
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
CRITICAL 9.1
GHSA-3875-8gcx-7v46
n8n: Credential exfiltration via Allowed HTTP Request Domains Bypass
CRITICAL 9.8
CVE-2026-25244
WebdriverIO BrowserStack Service has a Command Injection issue
CRITICAL 9.6
GHSA-27f5-xjrr-q9ff
Malware in @opensearch-project/opensearch
CRITICAL 9.8
CVE-2026-45411
vm2 Has a Sandbox Breakout Using Async Generator
CRITICAL 9.1
GHSA-wf8q-wvv8-p8jf
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation
CRITICAL 10.0
CVE-2026-44006
vm2 has a Sandbox Escape Vulnerability
CRITICAL 10.0
CVE-2026-44005
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape
CRITICAL 9.1
CVE-2026-44007
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
CRITICAL 9.8
CVE-2026-44009
vm2 has Sandbox Breakout Through Null Proto Exception
CRITICAL 9.8
CVE-2026-44008
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`
CRITICAL 9.9
CVE-2026-43999
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape
CRITICAL 9.1
CVE-2026-44351
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver
CRITICAL 10.0
CVE-2026-43997
vm2 Access to Host Object Enables Sandbox Escape
CRITICAL 9.1
CVE-2026-45091
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
CRITICAL 9.6
CVE-2026-43944
Electerm users can run dangrous code through link or command line
CRITICAL 9.1
CVE-2026-44650
SillyTavern has a Path Traversal issue
CRITICAL 9.8
CVE-2025-63703
parse-ini is vulnerable to Prototype Pollution in index.js()
CRITICAL 9.8
CVE-2026-41507
Remote Code Execution (RCE) via String Literal Injection into math-codegen
CRITICAL 9.8
CVE-2025-63704
query-parser-string is vulnerable to Prototype Pollution
CRITICAL 9.8
CVE-2025-63706
next-npm-version is vulnerable to Command injection
CRITICAL 9.8
CVE-2026-41501
electerm has Command Injection via runLinux funtion
CRITICAL 9.8
CVE-2026-44109
OpenClaw: Feishu webhook and card-action validation now fail closed
CRITICAL 9.8
GHSA-cjg8-85gj-v9q2
Duplicate Advisory: OpenClaw: Feishu webhook and card-action validation now fail closed
CRITICAL 9.8
CVE-2026-41500
electerm: electerm_install_script_CommandInjection Vulnerability Report
CRITICAL 9.8
GHSA-v6wj-c83f-v46x
@profullstack/mcp-server vulnerable to OS Command Injection in domain_lookup Module
CRITICAL 9.8
CVE-2026-43940
Electerm runWidget has a path traversal that leads to arbitrary code execution
CRITICAL 9.1
CVE-2026-43534
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input
CRITICAL 10.0
CVE-2026-42231
n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE
CRITICAL 9.9
CVE-2026-42232
n8n has XML Node Prototype Pollution that to RCE
CRITICAL 9.8
CVE-2026-42233
n8n has SQL Injection in Oracle Database Node via Limit Field
CRITICAL 9.1
CVE-2026-43566
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
CRITICAL 9.8
CVE-2026-24118
VM2 Sandbox Breakout Through __lookupGetter__
CRITICAL 9.3
GHSA-54pg-9963-v8vg
Compromised version of intercom-client published to npm
Ready to move
Start Securing
Free, no credit card | First findings in minutes