Launch Week Day 1: Announcing Security Design Review
Start for Free

Know every threat before it ships

200K+ vulnerabilities, malicious packages, and supply chain threats enriched with Corgea's research.

All npm PyPI Go NuGet crates.io Maven RubyGems

8,669 vulnerabilities

MEDIUM 4.2
PyPI

CVE-2026-48522

PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes
MEDIUM 5.4
PyPI

CVE-2026-48523

PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys
MEDIUM 5.3
PyPI

CVE-2026-48525

PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS
MEDIUM 6.1
Maven

CVE-2020-13932

Cross-site Scripting (XSS) in Apache ActiveMQ Artemis
MEDIUM 5.3
PyPI

CVE-2025-3000

PyTorch is vulnerable to memory corruption through its torch.jit.script function
MEDIUM 6.5
PyPI

CVE-2026-49818

CVE-2026-49818
MEDIUM 6.5
PyPI

CVE-2026-48710

Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
MEDIUM 6.2
NuGet

CVE-2026-46557

ImageMagick: Stack overflow in fx operation
MEDIUM 5.3
npm

CVE-2026-48049

@hapi/inert has a static-file confinement bypass via sibling-prefix path
MEDIUM 5.0
Go

CVE-2026-48096

OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning
MEDIUM 6.1
Go

CVE-2026-41568

Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
MEDIUM 6.5
npm

CVE-2026-42853

@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input
MEDIUM 6.5
Maven

CVE-2026-41726

In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header
MEDIUM 6.5
Go

CVE-2026-54092

File Browser has a DoS Vulnerability via Public Login API
MEDIUM 6.8
Go

CVE-2026-54094

File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope
MEDIUM 6.5
npm

CVE-2026-48022

@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
MEDIUM 6.5
Go

CVE-2026-46371

Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint
MEDIUM 5.4
npm

CVE-2026-44311

Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization
MEDIUM 6.5
Go

CVE-2026-46370

Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint
MEDIUM 5.3
Maven

CVE-2023-45648

Apache Tomcat Improper Input Validation vulnerability
MEDIUM 5.3
Maven

CVE-2023-42795

Apache Tomcat Incomplete Cleanup vulnerability
MEDIUM 4.0
Maven

CVE-2026-45536

Netty: Unix-socket fd receive leaks descriptors when peer sends two at once
MEDIUM 6.8
Maven

CVE-2026-45673

Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port
MEDIUM 5.3
Maven

CVE-2026-47244

Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
MEDIUM 5.3
Maven

CVE-2026-48043

netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
MEDIUM 4.4
Go

CVE-2026-47190

IPAM controller service account granted unnecessary full access to Secrets
MEDIUM 6.5
PyPI

CVE-2026-47157

aiograpi: Unsafe signup challenge path handling
MEDIUM 4.8
npm

CVE-2026-44490

axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
MEDIUM 5.3
npm

CVE-2026-48038

joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
MEDIUM 4.3
PyPI

CVE-2026-53954

Bugsink: DOS using large numbers of event tags
MEDIUM 6.1
npm

CVE-2026-47250

MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
MEDIUM 5.9
Go

CVE-2026-48154

gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362)
MEDIUM 6.5
Maven

CVE-2025-58175

GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution
MEDIUM 6.5
npm

CVE-2026-48147

Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker

MEDIUM 6.5
PyPI

CVE-2026-2734

MLflow authenticated users can enumerate any registered model versions due to lack of per-model permissions checks
MEDIUM 6.7
npm

CVE-2026-48121

LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access
MEDIUM 6.8
Go

GHSA-9r4w-jg96-92mv

Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()
MEDIUM 6.6
PyPI

CVE-2025-51481

CVE-2025-51481
MEDIUM 5.8
PyPI

CVE-2026-48053

Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset
MEDIUM 6.4
Maven

CVE-2026-9087

Keycloak: Insufficient verification proof scoping enables identity provider account linking attack and account compromise
MEDIUM 5.4
npm

CVE-2022-25037

wangEditor was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function
MEDIUM 6.1
npm

CVE-2024-28635

Cross-site scripting in Survey Creator
MEDIUM 4.1
NuGet

CVE-2026-47165

ImageMagick: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model
MEDIUM 4.1
NuGet

CVE-2026-46693

ImageMagick: Race Condition in distributed pixel cache server can result in file descriptor hijacking
MEDIUM 5.1
NuGet

CVE-2026-45624

ImageMagick: Heap Buffer Over-Read of a 4 bytes in distort operation.
MEDIUM 5.5
NuGet

CVE-2026-46521

ImageMagick: Heap Buffer Over-Write in MIFF encoder when using LZMA compression
MEDIUM 5.3
NuGet

CVE-2026-45664

ImageMagick: Policy Bypass in MNG coder could

MEDIUM 6.5
PyPI

CVE-2026-47213

BoxLite has a Timeout Bypass Vulnerability
MEDIUM 6.2
NuGet

CVE-2026-46523

ImageMagick: Use-After-Free in MSL decoder.
MEDIUM 4.0
NuGet

CVE-2026-46559

ImageMagick: Heap Buffer Over-Write of a single byte in the JP2 encoder.
MEDIUM 5.7
PyPI

CVE-2026-47734

Dulwich has unbounded memory allocation in receive-pack from crafted thin packs
MEDIUM 4.3
Maven

CVE-2026-42568

Yamcs Vulnerable to LDAP Injection in LdapAuthModule
MEDIUM 4.3
PyPI

CVE-2026-46645

SQLAdmin: Authorization Bypass on `ajax_lookup`
MEDIUM 5.1
NuGet

CVE-2026-42326

ImageMagick: Heap Buffer Over-Read in IPTC encoder
MEDIUM 5.3
NuGet

CVE-2026-45358

ImageMagick: Out-of-Bounds Read of a single byte in meta encoder
MEDIUM 5.3
NuGet

CVE-2026-45031

ImageMagick: Policy Bypass in PSD decoder
MEDIUM 5.7
NuGet

CVE-2026-45359

ImageMagick: Out-of-Bounds Read in connected components when the user supplies an invalid keep-top define
MEDIUM 6.5
PyPI

CVE-2026-48045

python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood
MEDIUM 4.6
PyPI

CVE-2026-45106

Weblate: Stored HTML injection in editor search preview
MEDIUM 6.1
npm

CVE-2026-30691

@cyntler/react-doc-viewer's TXTRenderer fails to sanitize file content and explicitly casts raw data as a ReactNode

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes