Know every threat before it ships
200K+ vulnerabilities, malicious packages, and supply chain threats enriched with Corgea's research.
HIGH 8.1
CVE-2026-45013
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation
HIGH 7.3
CVE-2026-45011
Apostrophe has stored XSS via javascript: URL in Image Widget Link
HIGH 7.6
CVE-2026-45012
Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget
HIGH 8.1
GHSA-gv7w-rqvm-qjhr
esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY
HIGH 8.8
CVE-2026-46475
FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
HIGH 8.6
CVE-2026-47209
vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
HIGH 8.7
CVE-2026-47135
vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks
HIGH 8.6
CVE-2026-47139
NodeVM network builtin exclusions bypass via internal _http_client and _http_server
HIGH 8.8
CVE-2026-46519
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
HIGH 7.0
CVE-2026-44495
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
HIGH 8.7
CVE-2026-44494
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
HIGH 7.5
CVE-2026-44486
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
HIGH 7.5
CVE-2026-44488
Allocation of Resources Without Limits or Throttling in Axios
HIGH 7.5
CVE-2026-48151
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema
HIGH 8.1
CVE-2026-48152
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL
HIGH 7.7
CVE-2026-48146
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection
HIGH 7.5
CVE-2026-48069
@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash
HIGH 7.5
CVE-2026-48068
@grpc/grpc-js: A malformed request can cause a server crash
HIGH 7.5
CVE-2023-2968
proxy denial of service vulnerability
HIGH 7.5
CVE-2026-46679
js-libp2p: Memory DoS via subscription flood of unique topics
HIGH 7.5
CVE-2026-46625
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
HIGH 8.8
CVE-2026-46444
FlowiseAI: Vector Store No Permission Checks
HIGH 7.5
CVE-2026-45783
@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
HIGH 7.0
CVE-2026-42462
Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
HIGH 8.8
CVE-2026-48054
OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri
HIGH 7.5
CVE-2025-71319
image-size Denial of Service via Infinite Loop during Image Processing
HIGH 7.5
CVE-2026-44496
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
HIGH 7.8
CVE-2026-45033
GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor
HIGH 8.1
CVE-2026-9277
shell-quote quote() does not escape newlines in object .op values
HIGH 7.5
CVE-2026-42570
Svelte devalue: DoS via sparse array deserialization
HIGH 7.2
CVE-2026-46492
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
HIGH 8.8
CVE-2026-46480
FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
HIGH 8.1
CVE-2026-42211
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
HIGH 7.5
CVE-2026-46440
FlowiseAI Exposes Basic Auth Credentials via API
HIGH 7.6
CVE-2026-45337
Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending
HIGH 7.5
CVE-2026-34148
Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution
HIGH 8.2
CVE-2026-45302
parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names
HIGH 8.1
CVE-2026-42349
Clerk has an authorization bypass when combining organization, billing, or reverification checks
HIGH 8.6
CVE-2026-33805
Fastify's connection header abuse enables stripping of proxy-added headers
HIGH 7.5
CVE-2026-44648
SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover
HIGH 8.5
CVE-2026-46372
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
HIGH 8.2
CVE-2026-46510
form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys
HIGH 8.1
CVE-2026-45707
n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete
HIGH 8.7
CVE-2026-48527
HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint
HIGH 8.2
CVE-2026-46509
@ranfdev/deepobj has a Prototype Pollution vulnerability
HIGH 7.3
CVE-2026-45364
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
HIGH 7.5
CVE-2026-44902
Prometheus exporter process crash via malformed HTTP request
HIGH 7.7
CVE-2026-45548
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation
HIGH 7.6
CVE-2026-46426
Budibase: Unrestricted Upload of File with Dangerous Type
HIGH 8.8
CVE-2026-45717
Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL
HIGH 7.8
CVE-2026-44724
Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name
HIGH 7.8
CVE-2026-45136
claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh
HIGH 7.7
CVE-2026-45715
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration
HIGH 8.2
CVE-2026-44483
@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)
HIGH 8.8
CVE-2026-45716
Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration
HIGH 7.5
CVE-2026-44635
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`
HIGH 7.5
CVE-2023-48238
json-web-token library is vulnerable to a JWT algorithm confusion attack
HIGH 8.3
CVE-2026-44966
Velocity.js has a Prototype Pollution vulnerability through #set path assignment
HIGH 8.2
CVE-2026-44728
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
HIGH 7.1
CVE-2026-42280
Auth.js SDK has Improper Permission Checking
Ready to move
Start Securing
Free, no credit card | First findings in minutes