Know every threat before it ships
200K+ vulnerabilities, malicious packages, and supply chain threats enriched with Corgea's research.
LOW 3.7
CVE-2026-48524
PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)
LOW 3.3
CVE-2026-48156
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams
LOW 3.7
CVE-2026-49854
Tornado has out-of-bounds memory access via C extension
LOW 2.5
GHSA-g7r4-m6w7-qqqr
esbuild allows arbitrary file read when running the development server on Windows
LOW 3.7
CVE-2026-44489
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
LOW 3.3
CVE-2026-47712
Dulwich doesn't sanitize commit subjects in `porcelain.format_patch`
LOW 3.7
CVE-2023-41048
plone.namedfile vulnerable to Stored Cross Site Scripting with SVG images
LOW 3.7
CVE-2024-24564
Vyper's `extract32` can ready dirty memory
LOW 2.2
CVE-2025-32021
VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext
LOW 3.7
CVE-2024-26149
Vyper's `_abi_decode` vulnerable to Memory Overflow
LOW 3.1
CVE-2024-2032
CVE-2024-2032
LOW 3.7
CVE-2024-30471
CVE-2024-30471
LOW 3.3
CVE-2024-2213
CVE-2024-2213
LOW 2.8
CVE-2023-3674
CVE-2023-3674
LOW 3.3
CVE-2023-5752
CVE-2023-5752
LOW 2.8
CVE-2022-4134
CVE-2022-4134
LOW 3.5
CVE-2026-48051
Papra HTTP redirect bypass can lead to SSRF via webhook delivery system
LOW 2.5
CVE-2025-2149
PyTorch: Manipulation of the argument scale/zero_point leads to improper initialization via Quantized Sigmoid Module
LOW 3.3
CVE-2025-6272
pywasm3 has Improper Restriction of Operations within the Bounds of a Memory Buffer
LOW 3.5
CVE-2023-51649
Nautobot missing object-level permissions enforcement when running Job Buttons
LOW 3.3
CVE-2021-29510
Use of "infinity" as an input to datetime and date fields causes infinite loop in pydantic
LOW 2.8
CVE-2025-44021
OpenStack Ironic fails to restrict paths used for file:// image URLs
LOW 3.1
CVE-2026-45739
Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs
LOW 3.5
CVE-2026-33551
OpenStack Keystone: Restricted application credentials can create EC2 credentials
LOW 3.8
CVE-2026-45683
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure
LOW 3.1
CVE-2020-8562
Potential proxy IP restriction bypass in Kubernetes
LOW 3.1
CVE-2021-25740
Confused Deputy in Kubernetes
LOW 3.9
CVE-2026-30963
Capsule Namespace Hijacking via subresource
LOW 2.8
GHSA-rc6v-5rmx-w5mv
arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS
LOW 3.7
CVE-2020-9488
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender
LOW 3.7
CVE-2026-42082
Free5GC AMF has Missing Concurrent NAS SMC Validation During NGAP Handover
LOW 3.7
CVE-2026-44474
Ella Core has handover failures during concurrent Security Mode Command
LOW 3.5
CVE-2026-42448
Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed
LOW 3.3
CVE-2025-65681
Overhang Tutor Discloses Sensitive Information due to Improper Cache-Control
LOW 3.3
CVE-2025-2953
PyTorch susceptible to local Denial of Service
LOW 3.3
CVE-2026-8088
OSGeo GDAL vulnerable to out-of-bounds read
LOW 3.1
GHSA-pxh5-6rrc-8rjv
OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server
LOW 3.1
CVE-2026-41488
langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding
LOW 2.6
CVE-2025-64326
Weblate leaks the IP of project member inviting user to be reviewer in Audit log
LOW 3.9
CVE-2024-31636
LIEF obtain sensitive information via the name parameter
LOW 2.7
CVE-2026-4292
Django vulnerable to privilege abuse in ModelAdmin.list_editable
LOW 3.1
CVE-2026-47716
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known
LOW 3.1
CVE-2026-47715
Bugsink: Issue event views can show an event from another project if its UUID is known
LOW 3.7
CVE-2023-30464
CoreDNS Cache Poisoning via a birthday attack
LOW 3.7
CVE-2026-32109
Copyparty has unexpected JavaScript execution via crafted URL to folder with `.prologue.html`
LOW 2.7
CVE-2026-45723
Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic
LOW 3.7
CVE-2026-32690
Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries
LOW 3.5
CVE-2025-62780
changedetection.io: Stored XSS in Watch update via API
LOW 2.7
CVE-2026-45076
CVE-2026-45076
LOW 3.1
CVE-2026-45426
CVE-2026-45426
LOW 3.7
CVE-2026-4273
Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation
LOW 3.5
CVE-2026-6333
Mattermost doesn't validate the Host header when constructing response URLs for custom slash command
LOW 3.1
CVE-2026-4286
Mattermost doesn't check if {{team_id}} was being changed when updating playbooks
LOW 3.8
CVE-2026-3495
Mattermost doesn't escape some variables that could contain malicious content during error page composition
LOW 3.1
CVE-2026-6334
Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow
Ready to move
Start Securing
Free, no credit card | First findings in minutes