Latest vulnerabilities
A live feed of the known-exploited and high-severity vulnerabilities Stateward watches for - drawn from CISA KEV and OSV, alongside the landmark npm supply-chain attacks and Web3 exploits that define the threat. The same intelligence Stateward checks your dependencies against, continuously. Provided with curated mitigation recommendations.
476 advisories · 256 curated incidents · 25 sources · automated feed updated 2026-06-18
476 shown
- MEDIUMSupply chainGHSA-HHPQ-7WG4-36JMcomposer · cakephp/authentication
CakePHP Authentication: Open redirect weakness via backslash bypass
- CRITICALSupply chainGHSA-8FQ9-273G-6MRGrubygems · avo
Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation
- MEDIUMSupply chainGHSA-X2QC-CMH9-F4HFrust · deno
Deno: Denial of service via non-ASCII bytes in WebSocket response headers
- CRITICALSupply chainGHSA-2F55-G35J-5JMFmaven · ca.uhn.hapi.fhir:org.hl7.fhir.utilities
HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory
- HIGHSupply chainGHSA-FXJ4-P9XP-37V5maven · ca.uhn.hapi.fhir:org.hl7.fhir.dstu2
HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS
- CRITICALSupply chainGHSA-X223-P2GF-V735pip · langflow
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
- HIGHSupply chainGHSA-R4GV-QR8J-P3PGmaven · com.github.jknack:handlebars
handlebars.java FileTemplateLoader Path Traversal
- HIGHSupply chainGHSA-M9CV-24RX-8MV7composer · filament/forms
Filament: Disabled RichEditor field state can be used for XSS
- HIGHSupply chainGHSA-2MFG-CC43-9PCJmaven · dev.langchain4j:langchain4j-mariadb
LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector
- MEDIUMSupply chainGHSA-GWXR-7H77-7777go · github.com/projectcapsule/capsule
Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected
- MEDIUMSupply chainGHSA-MX8G-39Q3-5C79npm · webpack-dev-server
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
- HIGHSupply chainGHSA-72GW-MP4G-V24Jnpm · multer
Multer vulnerable to Denial of Service via deeply nested field names
- MEDIUMSupply chainGHSA-3P4H-7M6X-2HCMnpm · multer
Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
- MEDIUMSupply chainGHSA-J5R2-4C8J-XC3Mgo · github.com/go-gitea/gitea
Gitea: Open Redirect via redirect_to
- HIGHSupply chainGHSA-9CPJ-QC93-VW8Vgo · code.gitea.io/gitea
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer
- HIGHSupply chainGHSA-WRR5-99H5-GQ57go · code.gitea.io/gitea
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes
- HIGHSupply chainGHSA-FHX7-M96W-MV29go · code.gitea.io/gitea
Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration
- MEDIUMSupply chainGHSA-QWXF-2M7M-2M3Xgo · github.com/daytonaio/daytona
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join
- MEDIUMSupply chainGHSA-FG94-H982-F3MMnpm · @anthropic-ai/claude-code
Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
- MEDIUMSupply chainGHSA-8788-J68R-3CGHpip · open-webui
Open WebUI: Any authenticated user can read other users' private notes via Socket.IO
- MEDIUMSupply chainGHSA-9RPJ-V7HF-VV2Wpip · open-webui
Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter
- MEDIUMSupply chainGHSA-P5CP-R7RG-QPXCpip · open-webui
Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode
- HIGHSupply chainGHSA-JRFP-M64G-PCWVpip · open-webui
Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects
- HIGHSupply chainGHSA-R2WG-2MCR-66RVpip · open-webui
Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal
- HIGHSupply chainGHSA-RJXQ-QQHF-8HWHnpm · openclaw
OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin
- MEDIUMSupply chainGHSA-CX9V-4QJ2-JRW6pip · open-webui
Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration
- MEDIUMSupply chainGHSA-4R4W-2WGP-W7CJpip · open-webui
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion
- MEDIUMSupply chainGHSA-J2C8-V969-8R5Cpip · open-webui
Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}
- HIGHSupply chainGHSA-V2QM-5WXJ-QHJ7pip · open-webui
Open WebUI: Stored XSS to Account Takeover via Model Profile Images
- HIGHSupply chainGHSA-VJQM-6GCC-62CRpip · open-webui
Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion
- HIGHSupply chainGHSA-V8QJ-HXV7-MGVVpip · open-webui
Open WebUI: Stored XSS in Mermaid Markdown Preview
- HIGHSupply chainGHSA-VRHC-3FR6-PC3Cpip · open-webui
Open WebUI: Forged chat-file link allows cross-user file read and deletion
- MEDIUMSupply chainGHSA-WCH8-MHJ5-9FRGpip · open-webui
Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field
- HIGHSupply chainGHSA-226F-F24G-524Wpip · open-webui
Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)
- HIGHSupply chainGHSA-3VV5-8XXP-4F55pip · open-webui
Open WebUI: Cross-origin postMessage confirmation bypass via action:submit
- MEDIUMSupply chainGHSA-F3G7-59QC-PQG6pip · open-webui
Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar
Get the weekly threat digest
New known-exploited vulnerabilities and landmark attacks, each with the fix, in your inbox. No spam, unsubscribe anytime.
Stateward checks your dependencies against this intelligence on every pull request, and tells you only what actually reaches your code.
See it on your repo