Know every threat before it ships
200K+ vulnerabilities, malicious packages, and supply chain threats enriched with Corgea's research.
MEDIUM 5.3
CVE-2026-48049
@hapi/inert has a static-file confinement bypass via sibling-prefix path
MEDIUM 6.5
CVE-2026-42853
@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input
MEDIUM 6.5
CVE-2026-48022
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
MEDIUM 5.4
CVE-2026-44311
Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization
MEDIUM 4.8
CVE-2026-44490
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
MEDIUM 5.3
CVE-2026-48038
joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
MEDIUM 6.1
CVE-2026-47250
MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
MEDIUM 6.5
CVE-2026-48147
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
MEDIUM 6.7
CVE-2026-48121
LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access
MEDIUM 5.4
CVE-2022-25037
wangEditor was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function
MEDIUM 6.1
CVE-2024-28635
Cross-site scripting in Survey Creator
MEDIUM 6.1
CVE-2026-30691
@cyntler/react-doc-viewer's TXTRenderer fails to sanitize file content and explicitly casts raw data as a ReactNode
MEDIUM 4.3
CVE-2026-8769
@ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue
MEDIUM 4.3
CVE-2026-47675
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
MEDIUM 5.3
CVE-2026-47674
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
MEDIUM 5.3
CVE-2026-47676
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
MEDIUM 4.8
CVE-2026-47673
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
MEDIUM 6.5
CVE-2026-46357
HAX CMS: Denial of Service using Malicious Import Request
MEDIUM 6.5
CVE-2025-13465
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
MEDIUM 6.5
CVE-2026-42073
OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS
MEDIUM 6.5
CVE-2026-45149
brace-expansion: Large numeric range defeats documented `max` DoS protection
MEDIUM 6.5
CVE-2026-45582
n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters
MEDIUM 5.3
CVE-2026-41150
Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
MEDIUM 6.5
CVE-2026-22030
React Router has CSRF issue in Action/Server Action Request Processing
MEDIUM 4.7
CVE-2026-45366
@utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
MEDIUM 6.1
CVE-2026-26028
CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS
MEDIUM 6.1
CVE-2026-44372
Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
MEDIUM 4.2
CVE-2026-46424
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
MEDIUM 6.5
CVE-2026-45719
Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
MEDIUM 5.4
CVE-2026-45718
Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows
MEDIUM 4.2
GHSA-xvp7-8vm8-xfxx
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
MEDIUM 5.8
CVE-2026-44214
eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields
MEDIUM 6.5
CVE-2026-32022
OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)
MEDIUM 6.1
CVE-2026-22217
OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL
MEDIUM 6.3
CVE-2026-47721
FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions
MEDIUM 5.3
CVE-2026-47720
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString
MEDIUM 6.1
CVE-2026-47099
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`
MEDIUM 6.0
CVE-2026-47375
NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`
MEDIUM 5.3
CVE-2026-44646
LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
MEDIUM 6.5
CVE-2026-44645
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
MEDIUM 6.1
CVE-2026-44644
LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
MEDIUM 6.5
CVE-2026-49144
browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server
MEDIUM 5.4
CVE-2026-33244
React Router has stored XSS via unescaped Location header in prerendered redirect HTML
MEDIUM 6.1
CVE-2026-46341
Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching
MEDIUM 4.3
CVE-2025-5891
pm2 Regular Expression Denial of Service vulnerability
MEDIUM 6.1
CVE-2026-45243
Summarize contains a missing authorization vulnerability
MEDIUM 5.4
CVE-2026-45244
Summarize contains a missing authorization vulnerability
MEDIUM 5.3
CVE-2026-8814
ExifReader is vulnerable to denial of service via unbounded decompression of image metadata
MEDIUM 4.3
CVE-2026-8766
@kilocode/cli Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
MEDIUM 5.4
CVE-2026-39964
Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers
MEDIUM 5.3
CVE-2026-8723
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
MEDIUM 6.1
CVE-2026-46547
NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL
MEDIUM 5.4
CVE-2026-46550
NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags
MEDIUM 4.3
CVE-2026-46548
NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)
MEDIUM 6.5
CVE-2026-46551
NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion
MEDIUM 5.8
CVE-2026-46552
NocoDB: Shared-base link access can invite arbitrary users as persistent base members
MEDIUM 5.9
CVE-2026-34043
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
MEDIUM 5.3
CVE-2026-45740
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
MEDIUM 4.4
CVE-2026-45736
ws: Uninitialized memory disclosure
MEDIUM 4.8
CVE-2026-40175
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
Ready to move
Start Securing
Free, no credit card | First findings in minutes