The @cyclonedx/cdxgen package is vulnerable to credential leakage due to improper Docker registry origin validation. A flaw in how registry authentication endpoints are matched against configured credentials allows arbitrary downstream registries to capture private credentials.
The Phoenix Framework contains a high-severity Denial of Service vulnerability in its LongPoll transport mechanism. The vulnerability is caused by unbounded memory allocation when processing Newline Delimited JSON (NDJSON) payloads. Unauthenticated attackers can trigger Out-Of-Memory conditions on the host BEAM node, terminating all active sessions by forcing the server to evaluate excessive newline characters.
CVE-2026-44499 is a composite Denial of Service (DoS) vulnerability affecting Zebra, the Rust implementation of a Zcash full node. By exploiting architectural flaws in the peer-to-peer (P2P) communication stack, an unauthenticated attacker can saturate internal message queues and poison the chain discovery process, permanently isolating the target node from the network.
The fast-uri library exhibits an interpretation conflict vulnerability due to improper handling of percent-encoded authority delimiters during normalization. This flaw enables attackers to bypass domain validation and perform host confusion attacks against downstream components.
CVE-2026-43944 is a critical vulnerability in the electerm client that allows for arbitrary local code execution. The application insecurely parses deep link arguments and merges untrusted JSON directly into the core session configuration. This enables attackers to override internal state variables, hijacking the application's execution flow to spawn malicious local binaries.
A critical session management vulnerability in Nhost's authentication service allows attackers to maintain unauthorized access following a password reset. The password update operation fails to invalidate existing refresh tokens in the database, violating standard session revocation principles and rendering password changes ineffective as an incident response measure.
The fast-uri library (versions ≤ 3.1.0) contains a high-severity path traversal vulnerability due to an order-of-operations flaw during URI normalization. The library incorrectly decodes percent-encoded path separators (%2F) and dot segments (%2E) prior to applying dot-segment removal algorithms, allowing attackers to bypass path-based access controls and filters.
Multiple high-severity vulnerabilities were identified in the `n8n-mcp` package prior to version 2.50.1. These vulnerabilities include a Path Traversal flaw in the API client, a Server-Side Request Forgery (SSRF) bypass via redirect-following, and an Information Exposure vulnerability in the telemetry service. Collectively, these flaws permit credential theft, internal network access, and the leakage of sensitive workflow configurations.
The vm2 package for Node.js provides a software-based sandbox for untrusted code execution. Vulnerability GHSA-2CM2-M3W5-GP2F enables an attacker to bypass these sandbox protections via the Transformer component. The issue resides in the parsing logic responsible for intercepting JavaScript property access. Attackers leverage custom prototypes and computed keys to expose the internal sandbox state mechanism, leading to full host compromise.
A stored Cross-Site Scripting (XSS) vulnerability exists in the Ech0 project's RSS feed generation component. The application fails to properly escape user-supplied tags and Markdown content before reflecting them in the `/rss` endpoint, allowing arbitrary JavaScript execution in vulnerable RSS readers.
The Ech0 lightweight publishing platform suffers from a missing authentication check (CWE-306) and missing authorization (CWE-862) on the `PUT /api/echo/like/:id` API endpoint. This vulnerability allows an unauthenticated remote attacker to arbitrarily inflate engagement metrics by repeatedly sending requests, falsifying social proof and generating unnecessary database writes.
The Ech0 lightweight publishing platform exposes an unauthenticated, rate-unlimited API endpoint that permits arbitrary modification of content metrics. Because this endpoint directly triggers database transactions and simultaneously invalidates multiple application cache layers, it serves as an exploitable vector for resource exhaustion Denial of Service (DoS) and cache-stampede attacks.
Or generate a custom report
Search for a CVE ID (e.g. CVE-2024-1234) to generate an AI-powered vulnerability analysis
Automated vulnerability intelligence. 1,707+ reports.