Vulnerabilities
Last updated 39 minutes ago
| Package | Summary | Severity | Published | Modified |
|---|---|---|---|---|
base58-core
|
Malicious code in base58-core (npm) | Unknown | 1 day ago | 39 minutes ago |
|
@krentzen/buffer-reverse
|
Malicious code in @krentzen/buffer-reverse (npm) | Unknown | 1 hour ago | 39 minutes ago |
|
gptmini
|
Malicious code in gptmini (npm) | Unknown | 1 hour ago | 39 minutes ago |
|
@langgraphjs/toolkit
|
Malicious code in @langgraphjs/toolkit (npm) | Unknown | 2 months ago | 39 minutes ago |
|
mjml
|
MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827 | Medium Risk 4.5 | 6 months ago | 40 minutes ago |
nono-py
|
nono-py has proxy-only network fallback bypass on older Linux kernels | Medium Risk 6.4 | 52 minutes ago | 40 minutes ago |
|
nono-py
|
nono-py vulnerable to authorization bypass / policy confusion | Medium Risk 5.2 | 46 minutes ago | 40 minutes ago |
|
@mcptoolshop/backpropagate
|
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication | Critical 9.5 | 51 minutes ago | 40 minutes ago |
|
backpropagate
|
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication | Critical 9.5 | 51 minutes ago | 40 minutes ago |
|
nono-py
|
nono-py's policy JSON accepts unknown security fields | Medium Risk 5.2 | 44 minutes ago | 40 minutes ago |
|
devalue
|
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties | Low Risk 3.0 | 3 months ago | 40 minutes ago |
|
linkifyjs
|
Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) | High Risk 8.0 | 11 months ago | 55 minutes ago |
github.com/apernet/hysteria
|
Hysteria vulnerable to server crash when max_datagram_frame_size very small | High Risk 7.5 | 1 hour ago | 1 hour ago |
|
github.com/jackc/pgx/v5
|
pgx contains memory-safety vulnerability | Critical 9.8 | 2 months ago | 1 hour ago |
|
@cyclonedx/cdxgen
|
@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths | Medium Risk 6.0 | 1 hour ago | 1 hour ago |
|
github.com/apernet/hysteria/core/v2
|
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF | High Risk 7.4 | 1 hour ago | 1 hour ago |
oj
|
Oj: intern.c form_attr (uninitialized stack read) | Medium Risk 5.3 | 7 days ago | 1 hour ago |
|
oj
|
Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close | High Risk 8.0 | 7 days ago | 1 hour ago |
|
oj
|
Oj: Use-After-Free in Oj::Parser SAJ Callback via Input Mutation | High Risk 8.0 | 7 days ago | 1 hour ago |
|
oj
|
Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking | High Risk 8.0 | 7 days ago | 1 hour ago |
|
chainguard.dev/melange
|
`melange update-cache` has unbounded HTTP download that can exhaust disk in CI in chainguard.dev/melange | Unknown | 3 months ago | 1 hour ago |
|
github.com/containerd/containerd
|
containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull in github.com/containerd/containerd | Unknown | 22 hours ago | 1 hour ago |
|
github.com/containerd/containerd/v2
|
containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull in github.com/containerd/containerd | Unknown | 22 hours ago | 1 hour ago |
|
oj
|
Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent | High Risk 8.0 | 7 days ago | 1 hour ago |
|
oj
|
Oj: Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input | High Risk 7.5 | 7 days ago | 1 hour ago |
|
oj
|
Oj: Stack Buffer Overflow in Oj.dump via Large Indent | High Risk 8.0 | 7 days ago | 1 hour ago |
|
oj
|
Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling | High Risk 8.0 | 7 days ago | 1 hour ago |
|
oj
|
Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback | High Risk 8.0 | 7 days ago | 1 hour ago |
|
github.com/containerd/containerd
|
containerd image-triggered runtime DoS via unbounded group parsing in github.com/containerd/containerd | Unknown | 22 hours ago | 1 hour ago |
|
github.com/containerd/containerd/v2
|
containerd image-triggered runtime DoS via unbounded group parsing in github.com/containerd/containerd | Unknown | 22 hours ago | 1 hour ago |
|
oj
|
Oj: Use-After-Free in Oj::Parser Symbol Key Cache Toggle | High Risk 8.0 | 7 days ago | 1 hour ago |
|
oj
|
Oj: Integer Overflow in Oj.load 2GB String Handling | High Risk 8.0 | 7 days ago | 1 hour ago |
|
chainguard.dev/melange
|
`melange update-cache` has unbounded HTTP download that can exhaust disk in CI | Medium Risk 4.3 | 3 months ago | 1 hour ago |
|
disksweep
|
Malicious code in disksweep (npm) | Unknown | 2 hours ago | 1 hour ago |
|
github.com/runatlantis/atlantis
|
Git credentials are exposed in Atlantis logs | High Risk 8.0 | 1 year ago | 1 hour ago |
|
github.com/canonical/lxd
|
lxd has a restricted TLS certificate privilege escalation when in PKI mode | Low Risk 3.8 | 1 year ago | 1 hour ago |
|
github.com/umputun/remark42
|
Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing | High Risk 8.2 | 1 hour ago | 1 hour ago |
|
faraday
|
Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters | High Risk 7.5 | 7 days ago | 1 hour ago |
|
pydantic-ai
|
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678) | Medium Risk 6.8 | 2 hours ago | 1 hour ago |
|
pydantic-ai-slim
|
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678) | Medium Risk 6.8 | 2 hours ago | 1 hour ago |
|
github.com/apptainer/apptainer
|
Apptainer has incorrect path matching for 'limit container paths' directive | Medium Risk 4.8 | 2 hours ago | 1 hour ago |
|
github.com/lxc/incus/v7/cmd/incusd
|
Incus has an arbitrary file write on its client due to trusted image hash | Critical 9.9 | 2 hours ago | 1 hour ago |
|
github.com/lxc/incus/v7/cmd/incusd
|
Incus has an argument injection in backup compression algorithm leading to AFW and ACE | Critical 9.9 | 2 hours ago | 2 hours ago |
|
github.com/lxc/incus/v7/cmd/incusd
|
Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7) | Low Risk 3.0 | 2 hours ago | 2 hours ago |
|
@sigstore/core
|
@sigstore/core has DSSE payloadType type-binding failure | Medium Risk 5.4 | 2 hours ago | 2 hours ago |
|
self-certificate
|
Malicious code in self-certificate (npm) | Unknown | 15 days ago | 2 hours ago |
|
@appupdate/cdn-sync
|
Malicious code in @appupdate/cdn-sync (npm) | Unknown | 3 hours ago | 2 hours ago |
|
chai-as-assured
|
Malicious code in chai-as-assured (npm) | Unknown | 3 hours ago | 2 hours ago |
|
db-dx-connector
|
Malicious code in db-dx-connector (npm) | Unknown | 17 days ago | 2 hours ago |
|
react-dynamic-table-compenent
|
Malicious code in react-dynamic-table-compenent (npm) | Unknown | 3 hours ago | 2 hours ago |
Page 1