Public Feed · Open Source Intelligence

Vulnerabilities & Supply Chain
in real time

Tracking critical CVEs and supply chain incidents affecting open source dependencies. Data from OSV, NVD and Ixtli's own sources.

Critical

High

293

Total vulns

Incidents

SEVERITY

HIGHCVE-2026-3520npmCVSS 7.5

multer→ fix: 2.0.2

Multer vulnerable to Denial of Service via unhandled exception from malformed request

View details →

HIGHCVE-2025-58754npmCVSS 7.5

axios→ fix: 0.30.0

axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

View details →

HIGHCVE-2026-24049PyPICVSS 7.1

wheel→ fix: 0.46.2

Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack

View details →

CRITICALCVE-2026-33916npmCVSS 9.8

handlebars→ fix: 4.7.9

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

View details →

HIGHCVE-2026-24486PyPICVSS 8.6

python-multipart→ fix: 0.0.22

Python-Multipart has Arbitrary File Write via Non-Default Configuration

View details →

HIGHCVE-2024-6866PyPICVSS 7.5

flask-cors→ fix: 6.0.0

Flask-CORS vulnerable to Improper Handling of Case Sensitivity

View details →

HIGHCVE-2024-6827PyPICVSS 7.5

gunicorn→ fix: 22.0.0

Request smuggling leading to endpoint restriction bypass in Gunicorn

View details →

HIGHCVE-2026-23490PyPICVSS 7.5

pyasn1→ fix: 0.6.3

Denial of Service in pyasn1 via Unbounded Recursion

View details →

HIGHCVE-2026-32597PyPICVSS 7.5

pyjwt→ fix: 2.12.0

PyJWT accepts unknown `crit` header extensions

View details →

HIGHCVE-2026-27904npmCVSS 7.5

minimatch→ fix: 5.1.7

minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

View details →

HIGHCVE-2026-32141npmCVSS 7.5

flatted→ fix: 3.4.0

flatted vulnerable to unbounded recursion DoS in parse() revive phase

View details →

HIGHCVE-2025-64756npmCVSS 7.5

glob→ fix: 10.5.0

glob CLI: Command injection via -c/--cmd executes matches with shell:true

View details →

CRITICALCVE-2026-27606npmCVSS 9.8

rollup→ fix: 2.80.0

Rollup 4 has Arbitrary File Write via Path Traversal

View details →

HIGHCVE-2024-23342PyPICVSS 7.4

ecdsa

Minerva timing attack on P-256 in python-ecdsa

View details →

HIGHCVE-2026-24001npmCVSS 7.5

diff→ fix: 4.0.4

jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch

View details →

HIGHCVE-2021-23567npmCVSS 7.5

colors

Infinite Loop in colors.js

View details →

CRITICALCVE-2026-27699npmCVSS 9.1

basic-ftp→ fix: 5.2.0

Basic FTP has Path Traversal Vulnerability in its downloadToDir() method

View details →

HIGHCVE-2025-66471PyPICVSS 7.5

urllib3→ fix: 2.6.3

Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)

View details →

HIGHCVE-2025-47273PyPICVSS 8.8

setuptools→ fix: 70.0.0

setuptools vulnerable to Command Injection via package URL

View details →

HIGHCVE-2025-56200npmCVSS 7.5

validator→ fix: 13.15.22

Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements

View details →

Vulnerabilities & Supply Chainin real time

Vulnerabilities & Supply Chain
in real time