Identifier index
Verified CVE reproductions
Public CVE-backed security reproductions with runnable sandbox proof, affected package/version metadata, artifacts, and permanent REPRO IDs.
117 CVE-backed records
Agent catalog CVE-2026-48611
REPRO-2026-00223 published
phpBB authentication bypass/account hijacking via OAuth login-link flow with arbitrary auth_provider=apache
CVE-2026-48611 critical Security github
phpbb/phpbb
22m 9s Jul 4, 2026
CVE-2026-48558
REPRO-2026-00222 published
SimpleHelp OIDC authentication accepts unsigned/forged ID tokens, enabling remote authentication bypass and possible MFA bypass in versions 5.5.15 and earlier and 6.0 prereleases prior to the fixed release.
CVE-2026-48558 critical Security other (commercial, Java-based server application)
SimpleHelp
94m 25s Jul 4, 2026
CVE-2026-31694
REPRO-2026-00221 published
Linux kernel FUSE readdir cache out-of-bounds write
CVE-2026-31694 high Security
Linux kernel (FUSE subsystem)
63m 5s Jul 3, 2026
CVE-2026-59092
REPRO-2026-00220 published
JuiceFS through 1.3.1 exposes debug/metrics endpoints via shared http.DefaultServeMux, enabling authentication bypass and leakage of sensitive metadata connection strings, with potential DoS via profiling handlers.
CVE-2026-59092 high Security go
JuiceFS (juicedata/juicefs)
14m 46s Jul 3, 2026
CVE-2026-58466
REPRO-2026-00219 published
AutoBangumi before 3.2.8 seeds a default admin account on empty databases, allowing unauthenticated users to log in with publicly known default credentials and gain full control.
CVE-2026-58466 critical Security standalone application (Python/FastAPI)
EstrellaXD/Auto_Bangumi
14m 56s Jul 3, 2026
CVE-2026-52830
REPRO-2026-00218 published
fast-mcp-telegram <=0.19.0 allows bearer token path traversal to authenticate as the default telegram.session, bypassing reserved session name protections and enabling unauthorized access to Telegram MCP tools.
CVE-2026-52830 critical Security pip
fast-mcp-telegram
17m 51s Jul 3, 2026
CVE-2026-49352
REPRO-2026-00217 published
9router hardcoded default fallback JWT secret allows authentication bypass
CVE-2026-49352 critical Security github
decolua/9router
13m 50s Jul 3, 2026
CVE-2026-43503
REPRO-2026-00212 published
DirtyClone Linux kernel page-cache corruption privilege escalation
CVE-2026-43503 critical Security linux
Linux kernel
70m 55s Jul 3, 2026
CVE-2026-43456
REPRO-2026-00211 published
Linux kernel bonding can inherit header_ops from non‑Ethernet slaves (e.g., GRE), causing type confusion and kernel crashes when dev_hard_header() is invoked on the bond device.
CVE-2026-43456 high Security linux
Linux kernel (bonding driver)
64m 59s Jul 3, 2026
CVE-2026-48816
REPRO-2026-00210 published
sigstore-js Insufficient Verification of Data Authenticity
CVE-2026-48816 medium Security github
sigstore/sigstore-js
18m 54s Jul 2, 2026
CVE-2026-54502
REPRO-2026-00209 published
Oj Ruby gem stack buffer overflow via large :indent value
CVE-2026-54502 medium Security Ruby
oj
18m 33s Jul 2, 2026
CVE-2026-54500
REPRO-2026-00208 published
Oj Ruby gem uninitialized stack memory leak via long JSON keys
CVE-2026-54500 medium Security
oj (Optimized JSON) Ruby gem
20m 41s Jul 2, 2026
CVE-2026-14198
REPRO-2026-00207 published
@fastify/middie encoded slash bypass on parameterized middleware paths
CVE-2026-14198 critical Security
@fastify/middie
9m 46s Jul 2, 2026
CVE-2026-41579
REPRO-2026-00206 published
runc symlink deletion via malicious /dev symlink in container image
CVE-2026-41579 low Security
github.com/opencontainers/runc
25m 21s Jul 2, 2026
CVE-2026-49857
REPRO-2026-00205 published
auth-fetch-mcp SSRF via IPv4-mapped IPv6 loopback bypass
CVE-2026-49857 high Security npm
ymw0407/auth-fetch-mcp
17m 11s Jul 2, 2026
CVE-2026-11380
REPRO-2026-00203 published
JetWidgets For Elementor Stored XSS via Animated Box animation_effect
CVE-2026-11380 medium Security
jetmonsters/jetwidgets-for-elementor
29m 27s Jul 2, 2026
CVE-2026-4983
REPRO-2026-00202 published
Open VSX Registry serves HTML inline enabling session/token exfiltration
CVE-2026-4983 medium Security
Eclipse Open VSX (openvsx server)
36m 21s Jul 2, 2026
CVE-2026-33017
REPRO-2026-00201 published
Unauthenticated RCE in Langflow via public flow build endpoint
CVE-2026-33017 critical Security pip
langflow
25m 8s Jul 2, 2026
CVE-2024-23897
REPRO-2026-00200 published
Jenkins CLI arbitrary file read via @ argument expansion
CVE-2024-23897 critical Security generic
jenkins
21m 31s Jul 2, 2026
CVE-2024-23334
REPRO-2026-00199 published
aiohttp static file directory traversal via follow_symlinks
CVE-2024-23334 high Security pip
aiohttp
11m 4s Jul 2, 2026
CVE-2025-29927
REPRO-2026-00198 published
Next.js middleware authorization bypass via x-middleware-subrequest
CVE-2025-29927 critical Security npm
next
37m 24s Jul 2, 2026
CVE-2025-55182
REPRO-2026-00196 published
React Server Components Flight protocol remote code execution
CVE-2025-55182 critical Security npm
react-server-dom-webpack
34m 46s Jul 2, 2026
CVE-2025-30208
REPRO-2026-00195 published
Vite dev server access control can be bypassed using crafted query strings, allowing arbitrary file reads via the @fs handler when the dev server is exposed to the network.
CVE-2025-30208 medium Security npm
vite
23m 11s Jul 1, 2026
CVE-2026-8054
REPRO-2026-00194 published
Unauthenticated SQL injection in dotCMS Publish Audit API
CVE-2026-8054 critical Security github
dotCMS/core
116m 7s Jul 1, 2026
CVE-2026-35025
REPRO-2026-00193 published
ProFTPD ACL bypass via /proc/self/root path prefix in RNFR
CVE-2026-35025 high Security github
proftpd/proftpd
88m 18s Jul 1, 2026
CVE-2026-52813
REPRO-2026-00192 published
Gogs path traversal in organization name results in RCE through Git hooks
CVE-2026-52813 critical Security github
gogs/gogs
29m 54s Jul 1, 2026
CVE-2026-55200
REPRO-2026-00186 published
libssh2 via curl: malformed SSH packet length crashes SFTP client
CVE-2026-55200 critical Security c
libssh2
11m 23s Jun 25, 2026
CVE-2026-7474
REPRO-2026-00185 published
HashiCorp Nomad: path traversal in host volume plugin loader → client-host RCE
CVE-2026-7474 high Security go
nomad
48m 9s May 28, 2026
CVE-2026-5199
REPRO-2026-00184 published
Temporal Server: batcher worker cross-namespace authorization bypass (BatchActivityWithProtobuf)
CVE-2026-5199 medium Security go
temporal
72m 49s May 28, 2026
CVE-2026-33721
REPRO-2026-00183 published
MapServer: heap-buffer-overflow in SLD Categorize parser (msSLDParseRasterSymbolizer)
CVE-2026-33721 high Security c
mapserver
14m 33s May 28, 2026
CVE-2026-5466
REPRO-2026-00173 published
wolfSSL: ECCSI universal signature forgery via missing scalar range check
CVE-2026-5466 high Security source
wolfssl
16m 28s May 28, 2026
CVE-2026-5479
REPRO-2026-00172 published
wolfSSL: EVP ChaCha20-Poly1305 decryption returns plaintext without verifying authentication tag
CVE-2026-5479 high Security source
wolfssl
12m 46s May 28, 2026
CVE-2026-27654
REPRO-2026-00171 published
nginx WebDAV: heap-buffer-overflow in COPY/MOVE with alias directive
CVE-2026-27654 high Security source
nginx
21m 40s May 28, 2026
CVE-2026-32316
REPRO-2026-00170 published
jq: integer overflow in jv_string_concat triggers heap buffer overflow on large strings
CVE-2026-32316 high Security github
jq
32m 33s May 28, 2026
CVE-2026-40900
REPRO-2026-00169 published
DataEase: stacked-query SQL injection via previewSql with allowMultiQueries
CVE-2026-40900 high Security github
dataease
58m 29s May 26, 2026
CVE-2026-23958
REPRO-2026-00168 published
DataEase: authentication bypass via password-derived HMAC JWT signing key
CVE-2026-23958 high Security github
dataease
100m 11s May 25, 2026
CVE-2026-40901
REPRO-2026-00167 published
DataEase: Quartz JobStore Java deserialization RCE via QRTZ_JOB_DETAILS
CVE-2026-40901 high Security github
dataease
179m 9s May 25, 2026
CVE-2026-40899
REPRO-2026-00165 published
DataEase: JDBC parameter blocklist bypass via Lombok @Data setter exposure
CVE-2026-40899 medium Security github
dataease
111m 23s May 25, 2026
CVE-2026-42796
REPRO-2026-00160 published
Arelle: unauthenticated RCE via /rest/configure plugins URL parameter
CVE-2026-42796 critical Security pip
arelle
48m 18s May 23, 2026
CVE-2026-32740
REPRO-2026-00159 published
libheif: heap-buffer-overflow write decoding 1x4 grid of odd-height tiles
CVE-2026-32740 high Security c
libheif
41m 53s May 23, 2026
CVE-2026-42091
REPRO-2026-00158 published
goshs: PUT upload accepts cross-origin requests without CSRF token
CVE-2026-42091 medium Security go
github.com/patrickhener/goshs
35m 17s May 23, 2026
CVE-2026-30246
REPRO-2026-00157 published
Fiber v3: cache middleware key collision leaks responses across different query strings
CVE-2026-30246 medium Security go
github.com/gofiber/fiber/v3
27m 11s May 23, 2026
CVE-2026-39850
REPRO-2026-00156 published
Yii2: local file inclusion via View::renderPhpFile extract() of caller-controlled params
CVE-2026-39850 high Security composer
yiisoft/yii2
15m 11s May 23, 2026
CVE-2026-44471
REPRO-2026-00155 published
gitoxide (gix-fs): symlink worktree escape on checkout writes files outside the worktree
CVE-2026-44471 high Security cargo
gix-fs
33m 22s May 22, 2026
CVE-2026-35397
REPRO-2026-00153 published
Jupyter Server: path traversal via faulty startswith() root containment check
CVE-2026-35397 high Security pip
jupyter-server
25m 14s May 22, 2026
CVE-2026-42574
REPRO-2026-00152 published
apko: symlink-following path traversal writes files outside the build root
CVE-2026-42574 high Security go
apko
20m 23s May 22, 2026
CVE-2026-24425
REPRO-2026-00151 published
Twig: sandbox bypass via SourcePolicy filter check enables arbitrary PHP callables
CVE-2026-24425 high Security composer
twig/twig
13m 7s May 22, 2026
CVE-2026-34084
REPRO-2026-00150 published
PhpSpreadsheet: SSRF via unsafe stream wrapper in IOFactory::load()
CVE-2026-34084 critical Security composer
phpoffice/phpspreadsheet
12m 53s May 22, 2026
CVE-2026-44340
REPRO-2026-00149 published
PraisonAI: ZipSlip path traversal via unchecked tar symlink linkname in _safe_extractall
CVE-2026-44340 high Security pip
praisonai
17m 42s May 22, 2026
CVE-2026-33079
REPRO-2026-00148 published
Mistune: ReDoS via catastrophic backtracking in LINK_TITLE_RE
CVE-2026-33079 high Security pip
mistune
14m 50s May 22, 2026
CVE-2026-25765
REPRO-2026-00147 published
Faraday: SSRF via protocol-relative URL overriding base authority
CVE-2026-25765 medium Security rubygems
faraday
10m 15s May 22, 2026
CVE-2026-6322
REPRO-2026-00146 published
fast-uri: host confusion via percent-encoded authority delimiter in normalize()
CVE-2026-6322 high Security npm
fast-uri
10m 18s May 22, 2026
CVE-2026-6321
REPRO-2026-00145 published
fast-uri: path traversal via percent-encoded segments decoded before normalization
CVE-2026-6321 high Security npm
fast-uri
10m 8s May 22, 2026
CVE-2026-46364
REPRO-2026-00144 published
phpMyFAQ: unauthenticated SQL injection via User-Agent header in captcha API
CVE-2026-46364 critical Security composer
thorsten/phpmyfaq
62m 14s May 22, 2026
CVE-2026-25244
REPRO-2026-00143 published
@wdio/browserstack-service: OS command injection via crafted git branch name
CVE-2026-25244 critical Security npm
@wdio/browserstack-service
59m 49s May 22, 2026
CVE-2026-32738
REPRO-2026-00142 published
libheif: integer underflow out-of-bounds read crash via crafted HEIF stsc box
CVE-2026-32738 medium Security c
libheif
50m 30s May 22, 2026
CVE-2026-45232
REPRO-2026-00141 published
rsync: off-by-one out-of-bounds stack write in establish_proxy_connection
CVE-2026-45232 low Security c
rsync
29m 29s May 22, 2026
CVE-2026-37281
REPRO-2026-00140 published
zenshin: OS command injection in /stream-to-vlc url query parameter
CVE-2026-37281 critical Security
zenshin
28m 3s May 22, 2026
CVE-2026-44699
REPRO-2026-00139 published
libjwt: JWT algorithm-confusion authentication bypass via RSA JWK without alg
CVE-2026-44699 critical Security c
libjwt
13m 26s May 22, 2026
CVE-2026-32871
REPRO-2026-00138 published
FastMCP: path traversal to authenticated SSRF in OpenAPIProvider _build_url()
CVE-2026-32871 high Security pip
fastmcp
37m 15s May 22, 2026
CVE-2026-8813
REPRO-2026-00137 published
ExifReader: unbounded memory amplification DoS via crafted ICC mluc tag
CVE-2026-8813 high Security npm
exifreader
35m 45s May 22, 2026
CVE-2026-45539
REPRO-2026-00136 published
Microsoft APM: arbitrary file disclosure via symlink-following on apm install
CVE-2026-45539 high Security pip
apm
29m 1s May 22, 2026
CVE-2026-8657
REPRO-2026-00135 published
jsondiffpatch: prototype pollution via crafted delta in patch()
CVE-2026-8657 high Security npm
jsondiffpatch
23m 26s May 22, 2026
CVE-2025-13465
REPRO-2026-00134 published
lodash: prototype pollution in _.unset/_.omit deletes global prototype methods
CVE-2025-13465 medium Security npm
lodash
29m 27s May 22, 2026
CVE-2026-9082
REPRO-2026-00133 published
Drupal core: unauthenticated SQL injection via JSON:API filter array keys
CVE-2026-9082 critical Security composer
drupal/core
21m 27s May 22, 2026
CVE-2025-0520
REPRO-2026-00132 published
ShowDoc Unauthenticated File Upload RCE via deprecated ThinkPHP syntax
CVE-2025-0520 critical Security github
showdoc/showdoc
139m 41s Apr 14, 2026
CVE-2026-34486
REPRO-2026-00131 published
Apache Tomcat EncryptInterceptor Bypass via CVE-2026-29146 Fix Error - Missing Encryption of Sensitive Data
CVE-2026-34486 high Security
Apache Tomcat
19m 38s Apr 14, 2026
CVE-2026-5463
REPRO-2026-00130 published
pymetasploit3 command injection
CVE-2026-5463 critical Security PyPI
DanMcInerney/pymetasploit3
36m 8s Apr 4, 2026
CVE-2026-34742
REPRO-2026-00129 published
Go MCP SDK DNS Rebinding - Server-Side Request Forgery on AI Infrastructure
CVE-2026-34742 high Security Go module
github.com/modelcontextprotocol/go-sdk
38m 55s Apr 4, 2026
CVE-2026-34752
REPRO-2026-00128 published
Haraka Mail Server DoS via __proto__ prototype pollution in email headers
CVE-2026-34752 high Security github
npm/Haraka
17m 5s Apr 4, 2026
CVE-2026-34441
REPRO-2026-00127 published
cpp-httplib HTTP Request Smuggling via Unconsumed GET Request Body
CVE-2026-34441 high Security github
yhirose/cpp-httplib
61m 29s Apr 4, 2026
CVE-2026-5245
REPRO-2026-00126 published
Cesanta Mongoose mDNS Stack Buffer Overflow - Remote Code Execution PoC
CVE-2026-5245 critical Security github
cesanta/mongoose
53m 53s Apr 2, 2026
CVE-2026-27876
REPRO-2026-00125 published
Grafana SQL Expressions RCE
CVE-2026-27876 critical Security github
grafana/grafana
59m 16s Apr 1, 2026
CVE-2026-34714
REPRO-2026-00124 published
Vim modeline handling for the tabpanel option allows sandbox escape via autocmd_add, enabling OS command execution when opening a crafted file.
CVE-2026-34714 high Security github
Vim
19m 38s Apr 1, 2026
CVE-2026-24747
REPRO-2026-00119 published
PyTorch: weights_only Unpickler RCE via SETITEM Type Confusion
CVE-2026-24747 high Security pip
torch
48m 8s Mar 2, 2026
CVE-2026-21518
REPRO-2026-00118 published
cve-2026-21518
CVE-2026-21518 medium Security
40m 34s Feb 21, 2026
CVE-2026-27203
REPRO-2026-00115 published
eBay MCP Server Environment Variable Injection via Crafted Prompts
CVE-2026-27203 critical Security npm
@anthropic-ai/ebay-mcp-server
11m 39s Feb 20, 2026
CVE-2026-27194
REPRO-2026-00114 published
D-Tale Remote Code Execution via Custom Filter Input
CVE-2026-27194 critical Security pip
dtale
11m 53s Feb 20, 2026
CVE-2026-27192
REPRO-2026-00113 published
Feathers OAuth Authorization Header Leak to Third-Party
CVE-2026-27192 high Security npm
@feathersjs/authentication-oauth
7m 45s Feb 20, 2026
CVE-2026-27197
REPRO-2026-00112 published
Statamic CMS Stored XSS via Markdown Fieldtype
CVE-2026-27197 high Security composer
statamic/cms
7m 48s Feb 20, 2026
CVE-2026-27198
REPRO-2026-00111 published
Formwork CMS Improper Privilege Management in User Creation
CVE-2026-27198 high Security composer
getformwork/formwork
12m 42s Feb 20, 2026
CVE-2026-27190
REPRO-2026-00110 published
Deno Command Injection via Incomplete Metacharacter Blocklist
CVE-2026-27190 high Security rust
deno
10m 5s Feb 20, 2026
CVE-2026-27191
REPRO-2026-00109 published
Feathers OAuth Open Redirect Account Takeover
CVE-2026-27191 high Security npm
@feathersjs/authentication-oauth
12m 54s Feb 20, 2026
CVE-2026-27206
REPRO-2026-00108 published
Zumba JSON Serializer PHP Object Injection
CVE-2026-27206 high Security composer
zumba/json-serializer
11m 26s Feb 20, 2026
CVE-2026-27212
REPRO-2026-00107 published
Swiper Prototype Pollution
CVE-2026-27212 critical Security npm
swiper
10m 21s Feb 20, 2026
CVE-2026-27013
REPRO-2026-00105 published
Fabric.js: Stored XSS via SVG Export
CVE-2026-27013 high Security npm
fabric
16m 24s Feb 19, 2026
CVE-2026-26280
REPRO-2026-00104 published
systeminformation: Command Injection via WiFi Interface Parameter
CVE-2026-26280 high Security npm
systeminformation
19m 36s Feb 19, 2026
CVE-2026-25755
REPRO-2026-00103 published
jsPDF: PDF Object Injection via Unsanitized addJS Input
CVE-2026-25755 high Security npm
jspdf
14m 30s Feb 19, 2026
CVE-2026-25940
REPRO-2026-00102 published
jsPDF: PDF Injection in AcroForm RadioButton allows JS Execution
CVE-2026-25940 high Security npm
jspdf
23m 38s Feb 19, 2026
CVE-2026-26990
REPRO-2026-00101 published
LibreNMS: Time-Based Blind SQL Injection in address-search
CVE-2026-26990 high Security composer
librenms/librenms
11m 33s Feb 19, 2026
CVE-2026-26318
REPRO-2026-00100 published
systeminformation: Command Injection via locate Output
CVE-2026-26318 high Security npm
systeminformation
18m 44s Feb 19, 2026
CVE-2026-26030
REPRO-2026-00099 published
Semantic Kernel: RCE via InMemoryVectorStore Filter
CVE-2026-26030 critical Security pip
semantic-kernel
25m 13s Feb 19, 2026
CVE-2026-25881
REPRO-2026-00098 published
SandboxJS: Host Prototype Pollution via Array Intermediary (Sandbox Escape)
CVE-2026-25881 critical Security npm
@nyariv/sandboxjs
16m 1s Feb 19, 2026
CVE-2026-1774
REPRO-2026-00097 published
CASL Ability: Prototype Pollution via Condition Handling
CVE-2026-1774 critical Security npm
@casl/ability
6m 19s Feb 19, 2026
CVE-2026-26190
REPRO-2026-00096 published
Milvus: Unauthenticated Access to Restful API on Metrics Port Leading to System Compromise
CVE-2026-26190 critical Security go
github.com/milvus-io/milvus
16m 18s Feb 19, 2026
CVE-2026-26273
REPRO-2026-00095 published
Known CMS: Account Takeover via Password Reset Token Leakage
CVE-2026-26273 critical Security composer
idno/known
17m 40s Feb 19, 2026
CVE-2026-26216
REPRO-2026-00093 published
Crawl4AI: Remote Code Execution in Docker API via Hooks Parameter
CVE-2026-26216 critical Security pip
Crawl4AI
10m 34s Feb 19, 2026
CVE-2026-25544
REPRO-2026-00092 published
Payload CMS: Blind SQL Injection in JSON/RichText Queries via Drizzle Adapters
CVE-2026-25544 critical Security npm
@payloadcms/drizzle
15m 33s Feb 19, 2026
CVE-2026-26980
REPRO-2026-00091 published
Ghost CMS: Unauthenticated SQL Injection in Content API Slug Filter
CVE-2026-26980 critical Security npm
ghost
4m 15s Feb 19, 2026
CVE-2025-8088
REPRO-2026-00090 published
WinRAR ADS Path Traversal — Arbitrary Code Execution via Crafted Archive (CVE-2025-8088)
CVE-2025-8088 high Security
123m 42s Feb 17, 2026
CVE-2026-26007
REPRO-2026-00089 published
pyca/cryptography SECT curve public key parsing lacks subgroup validation, enabling small-subgroup attacks that leak ECDH private key bits and allow ECDSA signature forgery.
CVE-2026-26007 high Security
cryptography (pip)
6m 32s Feb 15, 2026
CVE-2026-23906
REPRO-2026-00087 published
Apache Druid basic security LDAP authenticator can be bypassed when the LDAP server allows anonymous binds, permitting login with any existing username and an empty password.
CVE-2026-23906 critical Security Maven
org.apache.druid.extensions:druid-basic-security
48m 55s Feb 13, 2026
CVE-2026-24770
REPRO-2026-00086 published
RAGFlow MinerU parser Zip Slip allows arbitrary file overwrite and potential RCE via malicious ZIP archives.
CVE-2026-24770 Security pip (per GitHub advisory)
ragflow (RAGFlow)
8m 19s Feb 13, 2026
CVE-2025-64712
REPRO-2026-00084 published
Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write
CVE-2025-64712 Security pypi
unstructured
4m 50s Feb 13, 2026
CVE-2026-24009
REPRO-2026-00080 published
Docling-core YAML Deserialization RCE via FullLoader
CVE-2026-24009 high Security pip
docling-core
6m 1s Feb 13, 2026
CVE-2026-22807
REPRO-2026-00078 published
vLLM RCE via auto_map dynamic module loading
CVE-2026-22807 high Security pip
vllm
19m 50s Jan 22, 2026
CVE-2025-68145
REPRO-2026-00076 published
MCP Server Git: Path Traversal via Missing Repository Path Validation
CVE-2025-68145 medium Security pip
mcp-server-git
11m 29s Jan 21, 2026
CVE-2025-60021
REPRO-2026-00072 published
Apache bRPC: Remote Command Injection in Heap Profiler
CVE-2025-60021 high Security cpp
brpc
47m 53s Jan 21, 2026
CVE-2026-23535
REPRO-2026-00070 published
wlc: Path traversal via unsanitized API slugs in download command
CVE-2026-23535 high Security pip
wlc
20m 59s Jan 17, 2026
CVE-2025-58367
REPRO-2026-00063 published
deepdiff: Class Pollution RCE via Delta Tuple Path Bypass
CVE-2025-58367 critical Security pip
deepdiff
1m 7s Jan 13, 2026
CVE-2025-64439
REPRO-2026-00062 published
langgraph-checkpoint: Constructor Deserialization RCE in JsonPlusSerializer
CVE-2025-64439 high Security pip
langgraph-checkpoint
1m 7s Jan 12, 2026
CVE-2025-61765
REPRO-2026-00061 published
python-socketio: Pickle Deserialization RCE in PubSub Manager
CVE-2025-61765 medium Security pip
python-socketio
1m 5s Jan 12, 2026
CVE-2025-68456
REPRO-2026-00054 published
Craft CMS: Unauthenticated Database Backup Trigger
CVE-2025-68456 medium Security composer
craftcms/cms
36m 45s Jan 8, 2026
CVE-2025-67303
REPRO-2026-00052 published
ComfyUI-Manager: Configuration File Exposure via Web-Accessible Path
CVE-2025-67303 high Security pip
ComfyUI-Manager
11m 32s Jan 8, 2026
CVE-2025-27520
REPRO-2026-00045 published
BentoML RCE via Insecure Deserialization
CVE-2025-27520 critical Security pip
bentoml
16m 37s Jan 7, 2026