Top/Articles/OSS Supply Chain Scanner β€” paste package.json, requirements.txt, pyproject.toml
oss-supply-chain-scanner-cover-en

OSS Supply Chain Scanner β€” paste package.json, requirements.txt, pyproject.toml

Paste a package.json, requirements.txt, or pyproject.toml and instantly check your dependencies against OSV.dev's vulnerability database. Free, browser-only, no signup. Supports npm, pip, Poetry, uv, and Rye. Built as a hub for our axios, LiteLLM, Trivy, and GlassWorm supply chain coverage.

LabPublished May 27, 2026Last updated May 28, 2026
Table of contents
Key takeaways

Paste a package.json, requirements.txt, or pyproject.toml and instantly check your dependencies against OSV.dev's vulnerability database. Free, browser-only, no signup. Supports npm, pip, Poetry, uv, and Rye. Built as a hub for our axios, LiteLLM, Trivy, and GlassWorm supply chain coverage.

Paste your dependencies, get the answer in 10 seconds. A free, browser-only scanner.

Paste a package.json, requirements.txt, or pyproject.toml, hit Scan, and the tool tells you whether any of your declared dependencies has a known vulnerability. No signup, no install, just the browser.

The motivation comes from the past six months: axios (1 billion weekly downloads) compromised, LiteLLM hijacked, Trivy triggering a cascade that took down four OSS in ten days, GlassWorm hiding malware in invisible characters. OSS supply chain attacks are now routine. I wanted a 10-second answer to "is my project actually OK?" without firing up a CLI.

Try pasting your file in the textarea below. The three sample buttons load an npm, pip, or Poetry example.

OSS Supply Chain Scanner

Examples:

Data source: OSV.dev (Google, CC BY 4.0). The query runs entirely in your browser; pasted content is sent only to OSV.dev.

Quick glossary β€” what CVE, OSV, and "dependencies" actually mean

If you ran the scanner and the results came back full of CVE, GHSA, and OSV labels, or you are not sure what a package.json "dependency" even is, here is the one-level-down explanation for the terms in this article. Engineers with a vulnerability scanner already in CI can skip this section.

TermIn one sentenceA level deeper
dependencyA piece of someone else's code
your project borrows to run
A typical web app pulls in dozens to thousands
of libraries. This tool inspects only the ones
you borrow directly.
package.jsonThe dependency list
for Node.js / npm projects
A JSON file declaring "this project uses
this library at this version range".
requirements.txtThe dependency list
for Python / pip projects
The file pip install -r requirements.txt
reads to install everything at once.
pyproject.tomlThe modern dependency list
for Python (Poetry / uv / Rye)
The successor to requirements.txt,
following the PEP 621 standard.
Describes the whole project in one file.
CVEThe global tracking number
for a security flaw
Common Vulnerabilities and Exposures.
Format: CVE-2026-8832.
Coordinated by MITRE in the US.
GHSAGitHub's own
security advisory ID
GitHub Security Advisory.
Format: GHSA-xxxx-xxxx-xxxx.
Tightly coupled to npm / PyPI; sometimes
published before a CVE number is assigned.
OSVA federated database
of vulnerability records
Open Source Vulnerability.
Hosted by Google, aggregates GitHub,
PyPA, Rust Foundation, and more.
This is the database the scanner queries.
SemVerThe global convention
for version numbers
Semantic Versioning.
1.2.3 = major.minor.patch.
^1.2.3 means "latest 1.x".
supply chain
attack
A library you trust
gets quietly poisoned
Attacker publishes a malicious version
of a library with millions of downloads.
Every project that pulls the update
is infected at once.

Read end-to-end, the scanner does this: read the list of libraries your project borrows (package.json and friends), and check each one against the global wound register (OSV) keyed by the security flaw IDs (CVE / GHSA). A supply chain attack is when one of those borrowed libraries itself gets poisoned β€” imagine the locksmith who cut your house key being bought off.

If your team already runs npm audit or Trivy in CI, this exact lookup is happening behind the scenes on every build. This tool is just that same lookup, manually, in your browser, once.

Why browser-only?

Tools that do this already exist: npm audit, pip-audit, Trivy, Snyk, Dependabot. If you are a professional engineer, you have probably wired one of them into CI.

But the real-world friction shows up elsewhere:

  • Β· A vendor sends you a package.json and you want a sanity check before the PR review
  • Β· An OSS supply chain attack hits the news and your Slack lights up with "are we affected?"
  • Β· You spot an interesting GitHub repo and want a dependency health check before cloning
  • Β· You need to audit code written by a non-engineer manager or a freelance contractor

In all of these, installing a tool locally is too much friction, corporate proxies block CLIs, or you simply lack permission. Paste-and-click takes 10 seconds.

The other reason is that I wanted a landing point for the individual incident articles on this site. axios, LiteLLM, Trivy, GlassWorm, TeamPCPβ€”each post tells the story of an attack, but until now there was no "and here is how you check yours" exit. This tool is that exit.

How it works under the hood

There is no backend. The page is HTML and JavaScript; whatever you paste is sent straight to the OSV.dev public API and the result is rendered in the browser. OSV.dev is a vulnerability database operated by Google, aggregating GitHub Security Advisory, PyPA, the Rust Foundation, and other upstream sources. It is unauthenticated, CORS-enabled, and accepts up to 1,000 packages per batch.

The pipeline is four steps:

StepWhat happensLibrary used
(1) Format detectionStarts with { β†’ npm. Contains [project] β†’ Poetry/
PEP 621. Otherwise requirements.txt.
Hand-rolled heuristic
(2) Dep extractionJSON.parse / TOML parse /
regex per line
smol-toml
(3) Version normalizationResolve ^1.7.7 or >=2.0.0,<3
to the lowest compatible version
semver
(4) Vulnerability matchPOST all deps to OSV.dev
/v1/querybatch in one request
fetch API

Step (3) was the messiest. OSV.dev does not accept SemVer ranges like ^1.7.7, so we collapse a range to its lowest compatible version using semver.minVersion() and query that. It is the safer side to err on.

So "axios": "^1.7.7" is queried as 1.7.7 even if your install resolves to 1.7.9 or 1.8.2. Without lock files we cannot do better, and accepting that tradeoff is what keeps the tool useful for declaration-only files.

The match itself looks like this (the full source is in the page HTML):

// Ship every dep to OSV.dev in a single batch
const queries = deps.map(d => ({
  package: { name: d.name, ecosystem: d.ecosystem }, // npm / PyPI
  version: d.resolvedVersion,                         // normalized via semver.minVersion()
}));

const res = await fetch("https://api.osv.dev/v1/querybatch", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ queries }),
});
const { results } = await res.json();
// results[i] is the vuln list for deps[i].

No backend means there is nothing for me to operate, but more importantly your package.json, even one from a proprietary internal project, never touches my servers. OSV.dev is the only third party in the loop, and they are transparent about what they store.

The fine print on each input format

package.json (npm / yarn / pnpm)

All four dependency fields are picked up: dependencies, devDependencies, optionalDependencies, peerDependencies. Excluded: workspaces (local refs), npm: aliases, and VCS specs like git+ssh://.

requirements.txt (pip / pip-tools / pipenv-lock exports)

Supports the operators ==, >=, ~=, !=. Comma-separated specs on a single line (django>=4.0,<5.0) collapse to the lowest version. Lines starting with -r, -e, or --index-url, plus # comments, are skipped.

pyproject.toml (Poetry / uv / Rye / PEP 621)

Two competing styles coexist in the wild; both are supported:

  • β–Έ PEP 621 standard (uv, Rye, Hatch, etc.): the array [project].dependencies and the table [project.optional-dependencies]. Each entry is a PEP 508 string like "requests>=2.28.0".
  • β–Έ Poetry style: the table [tool.poetry.dependencies] and grouped [tool.poetry.group.*.dependencies]. Values are SemVer-flavored strings ("^2.28.0") or inline tables like { version = "...", extras = [...] }.

Parsing is done with the lightweight smol-toml library. The python entry and any inline tables with path, git, or url (local or VCS refs) are excluded from the OSV query.

What this tool does not catch

Worth listing the blind spots so the tool is not over-trusted:

  • ? Transitive dependencies are invisible. Only the top-level deps you declared are scanned. A lock file (package-lock.json, poetry.lock) would cover them, but this tool intentionally targets the small declaration files.
  • ? Range-only specs are scored at their lowest version. Your actually-installed version may be newer and unaffected, or older and worse off. Treat this as a coarse health check, not a 0-day verdict.
  • ? Unpublished vulnerabilities won't appear. There is always a window between disclosure and OSV.dev indexing.
  • ? Pure malware injection isn't detected. If a compromised package was assigned a CVE or GHSA, it shows up; if it wasn't (the first 24 hours of most supply chain attacks), nothing here will help. GlassWorm-style invisible-character malware is also out of scope.

For real coverage you need npm audit or Trivy in CI, SBOM discipline, and committed lock files. This tool is the "paste-and-glance" rung below that.

Recent OSS supply chain attacks (2025–2026)

Below is a timeline of the supply chain incidents covered on this site over the past several months. Each row links to the full write-up with the detection details and blast radius at the time.

WhenIncidentScopeArticle
2026-05axios npm hijack1B weekly downloads
RAT planted in package
axios article
2026-04Trivy cascade4 OSS fell in 10 days
the defender's tool itself broken
cascade / Trivy 3rd time
2026-04Telnyx PyPI breachMalware hidden
inside a WAV file
Telnyx
2025-12LiteLLM hijack95M monthly downloads
Python startup = pwn
LiteLLM / .pth trace
2025-10GlassWormMalware hidden in
invisible Unicode chars
GlassWorm

The technique changes every time, but the entry point is the same: "a package you trust bumps a version, and somewhere in there a stranger has rewritten the contents." Routinely glancing at the dependency file you never touch is, in effect, a defense line.

Roadmap and requests

Current scope stops at "paste three formats." Planned for the next pass:

  • β–Έ package-lock.json and poetry.lock support (transitive deps included)
  • β–Έ Gemfile / Cargo.toml / go.mod
  • β–Έ Direct GitHub URL scanning (needs an API proxy for CORS)

If something is missing for your workflow, drop a comment or use the contact form and the priority list gets reshuffled.

Sources and licensing

OSV.dev vulnerability metadata is redistributed under CC BY 4.0. This tool is an independent client and is not an OSV.dev or Google product.

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django

Related articles

mcp-server-kubernetes-cve-cover-en
News

AI-to-Kubernetes tool mcp-server-kubernetes flaw leaks admin credentials (CVE-2026-61459)

July 11, 2026
9router-cve-cover-en
News

9Router flaws leak stored API keys and tokens (CVE-2026-55500 and more)

July 11, 2026
cline-cve-cover-en
News

Popular AI Coding Tool Cline Hijackable by Any Website (CVE-2026-59723): Command Execution and API Key Theft β€” Update to 3.0.30

July 9, 2026
repomix-ssrf-cve-cover-en
News

Critical SSRF in Repomix (CVE-2026-59702): The Popular AI Code-Packing Tool's Server Could Leak Cloud Keys β€” Update to 1.14.1

July 9, 2026
cve-digest-2026-07-08-cover-en
News

July 8, 2026 Security Vulnerability Roundup: Plesk, ArcGIS, Self-Hosted AI Tools and More β€” Does It Affect You?

July 8, 2026
ray-cve-cover-en
News

Ray AI Framework Flaw CVE-2026-57516: Loading a Malicious Dataset Triggers Server Takeover β€” Update to 2.56.0

July 2, 2026
fastify-middie-cve-cover-en
News

Fastify middie flaw CVE-2026-14198 lets a crafted URL bypass auth; update to 9.3.3

July 1, 2026
llama-factory-cve-cover-en
News

LLaMA-Factory RCE Flaw (CVE-2026-58116): An Exposed Web UI Lets Anyone Hijack the Server

June 30, 2026
snowflake-cli-cve-cover-en
News

Code Injection in Snowflake CLI (CVE-2026-13749, CVSS 8.8): Building a Malicious Project Can Take Over Your Machine β€” Update to 3.19.0

June 30, 2026
vscode-java-cve-cover-en
News

Command Injection in vscode-java (CVE-2026-12856, CVSS 8.8): A Malicious Java File Can Take Over Your Machine β€” Update to 1.55.0

June 30, 2026
libzypp-cve-cover-en
News

Path Traversal in libzypp, the openSUSE/SUSE Updater (CVE-2026-25707, CVSS up to 8.8) β€” Update Now

June 29, 2026
fluentd-cve-cover-en
News

Fluentd Hit by Unauthenticated RCE (CVE-2026-44024, CVSS 9.8) Plus 5 More β€” Update to v1.19.3 Now

June 29, 2026
kestra-cve-cover-en
News

Critical Kestra flaws (CVE-2026-53576/49869): unauthenticated root RCE

June 27, 2026
mise-cve-cover-en
News

Critical mise flaws CVE-2026-33646/55441: cd into a repo, code runs

June 27, 2026
pnpm-cve-cover-en
News

pnpm Hit by 2 Serious Flaws Letting Malicious Code Hijack Developer Machines (CVE-2026-55698)

June 26, 2026
appsmith-cve-cover-en
News

Reverse-Proxy Takeover Flaw in Low-Code Platform Appsmith (CVE-2026-55454) β€” Update to v2.1

June 25, 2026
cacti-cve-cover-en
News

Unauthenticated Database-Theft Flaw in Network Monitor Cacti (CVE-2026-39893) β€” Update to v1.2.31

June 25, 2026
gogs-cve-cover-en
News

Six Flaws in Self-Hosted Git Service Gogs, Unauthenticated Takeover (CVE-2026-52813 and More) β€” Update to v0.14.3

June 25, 2026
ghost-cve-cover-en
News

Cache-Poisoning Takeover Flaw in Publishing Platform Ghost (CVE-2026-53943) β€” Update to v6.37.0

June 25, 2026
rclone-cve-cover-en
News

Unauthenticated Remote Takeover Flaw in Cloud Sync Tool Rclone (CVE-2026-49980) β€” Update to v1.74.3

June 25, 2026
warp-cve-cover-en
News

Four Flaws in AI Agent Terminal Warp (CVE-2026-48704 and More) β€” Update to the Latest Build

June 25, 2026
feast-cve-cover-en
News

Unauthenticated Flaws Pile Up in ML Feature Store Feast: Server Takeover and Arbitrary File Write (CVE-2026-56121 & CVE-2026-23537) β€” Update to v0.63.0

June 25, 2026
capgo-cve-cover-en
News

Many Flaws in Capacitor Live-Update Service Capgo (CVE-2026-56237 and More) β€” Update to v12.128.2 Now

June 24, 2026
style-dictionary-cve-2026-54639-prototype-pollution-cover-en
News

Style Dictionary flaw CVE-2026-54639: a crafted token can poison your build β€” update to 5.4.4

June 24, 2026
moneyforward-security-incidents-cover-en
News

Money Forward: ~62,901 records may have leaked β€” personal data left on GitHub

June 24, 2026
expr-eval-cve-2026-12866-code-injection-cover-en
News

expr-eval Code Injection via toJSFunction (CVE-2026-12866, CVSS 9.8): Never Pass Untrusted Input, Move to expr-eval-fork

June 23, 2026
vllm-cve-2026-48746-54232-cover-en
News

Two vLLM Flaws: API-Key Bypass (CVE-2026-48746, CVSS 9.1) & Dependency Confusion (CVE-2026-54232) β€” Update to 0.22.1

June 23, 2026
crawl4ai-cve-2026-56266-cover-en
News

Unauthenticated SSRF in Crawl4AI: CVE-2026-56266 (CVSS 8.6/9.2) β€” Update to 0.8.7

June 23, 2026
siyuan-cve-2026-56395-56397-bazaar-xss-rce-cover-en-update
News

Four new takeover flaws in the SiYuan note app (CVE-2026-50551 et al.): update to 3.7.0

June 22, 2026
crawl4ai-cve-2026-56265-docker-jwt-hardcoded-key-auth-bypass-cover-en-0707
News

Unauthenticated takeover in AI crawler Crawl4AI (CVE-2026-57572, CVSS 10.0): update to 0.9.0

June 22, 2026
prefect-cve-2026-5366-git-argument-injection-rce-cover-en
News

Server takeover flaw in Prefect (CVE-2026-5366): update to the latest

June 21, 2026
flowise-cve-2024-58351-overrideconfig-rce-cover-en
News

Four new critical flaws in AI builder Flowise β€” CVE-2025-71338 is a perfect-10.0 RCE with no patch

June 21, 2026
mcp-pinot-cve-2026-49257-unauth-tool-invocation-cover-en
News

mcp-pinot, the Bridge Between AI and Your Database, Lets Anyone In: CVE-2026-49257, Update to v3.1.0

June 19, 2026
cassandra-cve-2026-47846-bitnami-default-credentials-cover-en
News

Bitnami Cassandra Images Leave a Default Password Active: CVE-2026-47846, Update Now

June 19, 2026
autogpt-cve-2026-55237-dom-xss-open-redirect-cover-en
News

Account Takeover Flaw in AI Agent Tool AutoGPT: CVE-2026-55237, Update to 0.6.62

June 19, 2026
ffmpeg-cve-2026-8461-magicyuv-oob-write-cover-en
News

FFmpeg Takeover Flaw via Crafted Video Files: CVE-2026-8461, Update to 8.1.2 Now

June 19, 2026
picklescan-cve-2026-3490-detection-bypass-8-flaws-cover-en
News

Picklescan Can Be Bypassed: 8 Flaws Let Malicious AI Models Pass as Safe (CVE-2026-3490), Update to v1.0.4

June 18, 2026
joomla-jce-cve-2026-48907-unauth-rce-cover-en-rewrite
News

Joomla Sites Using the JCE Editor Can Be Taken Over: Update to 2.9.99.6 Now (CVE-2026-48907)

June 17, 2026
the-events-calendar-cve-2026-49772-unauth-sql-injection-cover-en
News

The Events Calendar CVE-2026-49772: Unauth SQL Injection, Patch Now

June 16, 2026
i18next-cve-2026-48713-48714-prototype-pollution-cover-en
News

Two Unauthenticated Flaws in the i18n Library i18next: CVE-2026-48713 / 48714

June 16, 2026
wordpress-plugins-june-2026-critical-vulnerabilities-roundup-cover-en
News

Takeover Flaws Across Many WordPress Plugins: June 2026 Disclosure, Update Each One Now

June 16, 2026
spring-ai-cve-2026-47835-vector-store-query-injection-cover-en
News

Query-Injection Flaw in Spring AI Vector Stores: CVE-2026-47835, Update to 1.0.9 / 1.1.8 Now

June 16, 2026
major-hacker-ransomware-groups-directory-cover-en
Roundup

Hacker and Ransomware Groups Explained: Qilin, Anonymous, and Attacks on Japan

June 15, 2026
sanitize-html-xss-bypass-xmp-cve-2026-44990-cover-en
News

XSS Flaw in the Popular HTML Sanitizer sanitize-html: Update to 2.17.4 β€” CVE-2026-44990

June 13, 2026
netty-dns-cache-poisoning-cve-2026-45674-45673-47691-cover-en
News

Netty Flaws Let Attackers Reroute Your Traffic via DNS Cache Poisoning β€” Update to 4.1.135.Final (CVE-2026-45674)

June 13, 2026
vm2-sandbox-escape-cve-2026-47131-47208-rce-octet-cover-en
News

Eight Sandbox-Escape Flaws Hit vm2, Three Rated Max Severity β€” Patch to 3.11.4 Now (CVE-2026-47131)

June 13, 2026
axios-proxy-ssrf-mitm-cve-2026-44492-44494-cover-en
News

axios Flaws Let Attackers Steal Credentials via Proxy SSRF and Prototype-Pollution MITM β€” Update to 1.16.0 Now (CVE-2026-44492 / CVE-2026-44494)

June 12, 2026
gitlab-security-release-cve-2026-6552-account-takeover-cover-en
News

GitLab Patches 14 More Flaws: Self-Managed Servers Should Update to 19.1.1 (CVE-2026-10086)

June 11, 2026
npm-v12-install-scripts-opt-in-no-auto-run-cover-en
Lab

npm v12: Dependency Install Scripts No Longer Run Automatically

June 11, 2026
litellm-cve-2026-42271-mcp-command-injection-unauth-rce-cover-en
News

LiteLLM Unauthenticated RCE via MCP: CVE-2026-42271 (Now in CISA KEV) β€” Upgrade to 1.83.7

June 9, 2026
guardrails-ai-cve-2026-45758-pypi-supply-chain-teampcp-cover-en
News

AI Component Guardrails AI Hit by a Poisoned Package: CVE-2026-45758, TeamPCP's New Target

June 6, 2026
markdown-preview-enhanced-cve-2026-49492-49493-50733-vscode-rce-cover-en
News

Markdown Preview Enhanced (VS Code Extension): Opening a Markdown File Can Run Code, CVE-2026-49492/49493/50733, Update to 0.8.28

June 6, 2026
bartender-cve-2026-25550-net-remoting-rce-cover-en
News

Unauthenticated Takeover in Label Software BarTender (CVE-2026-25550): Legacy 2010/2016/2019 at Risk

June 5, 2026
tautulli-cve-2026-43986-plex-monitor-takeover-cover-en
News

Plex Companion Tautulli Hit by Five Flaws (CVE-2026-43986 and More): Update to v2.17.1

June 5, 2026
openstack-mistral-cve-2026-41283-policy-bypass-rce-cover-en
News

Critical Takeover Flaw in OpenStack Mistral: CVE-2026-41283 Lets Any Logged-In User Run Code

June 4, 2026
mirasvit-cache-warmer-cve-2026-45247-magento-rce-cover-en
News

Magento Stores Face Server Takeover Flaw CVE-2026-45247, Already Under Attack

June 4, 2026
apache-mina-cve-2026-47065-deserialization-rce-cover-en
News

Apache MINA Flaw CVE-2026-47065 Lets Attackers Take Over Servers Without a Login

June 3, 2026
japan-enterprise-vulnerabilities-2026-jvn-roundup-cover-en
News

Major Vulnerabilities in Products Japanese Enterprises Use, H1 2026

June 1, 2026
otrs-cve-2026-48188-sql-injection-auth-bypass-cover-en
News

CVE-2026-48188: OTRS Helpdesk Auth Bypass, No Login Needed (Fix 2026.4.X)

June 1, 2026
fujitsu-serverview-agents-cve-2026-27788-32325-privilege-escalation-cover-en
News

ServerView Agents for Windows Flaws CVE-2026-27788 / 32325: SYSTEM Privilege Escalation

June 1, 2026
casdoor-cve-2026-9090-9098-sso-auth-bypass-cover-en
News

Casdoor SSO Auth Bypass (CVE-2026-9090 to 9098): No Patch Yet, Here Is How to Lock It Down Now

June 1, 2026
opencats-cve-2026-49489-sql-injection-cover-en
News

OpenCATS flaw exposes the entire candidate database (CVE-2026-49489)

May 31, 2026
mautic-cve-2026-9558-twig-ssti-may-bundle-cover-en
News

Mautic Hit by Twig-Theme SSTI RCE: CVE-2026-9558, Bundled May Patch Fixes 7 CVEs

May 29, 2026
vllm-cve-2026-4944-trust-remote-code-hardcoded-rce-cover-en
News

vLLM Ignores --trust-remote-code=False: Third RCE, CVE-2026-4944

May 29, 2026
zed-editor-cve-2026-44461-44466-malicious-repo-rce-quartet-cover-en
News

Zed Editor RCE Fix (CVE-2026-44461–44466): Update to 0.229.0 β€” Opening a Malicious Repo Runs Code on Your Machine

May 29, 2026
tinymce-cve-2026-47759-47762-stored-xss-quartet-cover-en
News

TinyMCE Stored XSS Fix (CVE-2026-47759–47762): Patch to 8.5.1 / 7.9.3 / 5.11.1 β€” Editors Can Hijack Admin

May 29, 2026
samba-cve-2026-4408-check-password-script-rce-cover-en
News

Unauthenticated RCE in Samba: CVE-2026-4408 Injects Commands via %u in check password script, Patch to 4.24.3 Now

May 28, 2026
jupyter-server-cve-2025-61669-login-open-redirect-cover-en
News

Phishing Redirect Flaw in Jupyter Server CVE-2025-61669: Researcher Logins In The Crosshairs

May 28, 2026
goobi-viewer-cve-2026-45083-solr-unauth-streaming-cover-en
News

Goobi Viewer Hit by Unauthenticated CVE-2026-45083: Digital Archives At Risk

May 28, 2026
pi-alert-cve-2026-44887-44888-config-injection-cover-en
News

Two Unauthenticated RCEs in Pi.Alert: CVE-2026-44887 / 44888 Hit Home Network Watchers

May 28, 2026
gladinet-triofox-cve-2026-8362-8363-8364-unauth-rce-cover-en
News

Three Critical Flaws Hit Gladinet Triofox: CVE-2026-8362 / 8363 / 8364, Enterprise File Sharing At Risk

May 28, 2026
budibase-cve-2026-46425-five-flaws-low-code-bypass-cover-en
News

Budibase Hit by Five Critical Authz Flaws: CVE-2026-46425 et al., Update to v3.39.0

May 28, 2026
dalfox-cve-2026-45087-rest-api-unauth-rce-cover-en
News

XSS Scanner Dalfox Hit by Unauthenticated RCE: CVE-2026-45087 (CVSS 10.0)

May 28, 2026
free5gc-cve-2026-44315-44326-44327-44329-44330-noauth-bypass-cover-en
News

free5GC Hit by Five Critical Auth Bypass Flaws: CVE-2026-44315/26/27/29/30

May 28, 2026
tanstack-nx-console-supply-chain-cve-2026-45321-48027-cover-en
News

From TanStack to Nx Console: Chained Supply-Chain Attack CVE-2026-45321 / CVE-2026-48027

May 28, 2026
libvnc-cve-2026-44988-malicious-server-oob-write-cover-en
News

LibVNCClient Flaw CVE-2026-44988: Malicious VNC Server Can Hijack Your PC On Connect

May 28, 2026
langflow-cve-2026-7524-tar-symlink-rce-cover-en
News

Critical Langflow Flaw CVE-2026-7524: TAR Symlinks Leak JWT Secret, Chain to RCE

May 28, 2026
cisa-kev-dashboard-ja-cover-en
Lab

CISA KEV Dashboard in Japanese β€” Browse the Actively Exploited Catalog

May 27, 2026