HighPublicCVSS 8.7/10Version 3.1
May 7, 2026
CVE-2026-43888
Outline Stored XSS
Public advisory metadata records a stored cross-site scripting issue in Outline.
OutlineCVE metadata only
← Back to BugBunny.ai
Hall of Fame
BugBunny.ai CVEs across open source software, developer tooling, infrastructure, and modern AI stacks. Public records show details; reserved entries stay as placeholders.
66
CVEs discovered
52
Public records
9.9
Peak CVSS
14
Reserved placeholders
Severity Timeline
Every BugBunny CVE plotted against time and impact
Hover a point to inspect public advisory metadata or a reserved placeholder. The x-axis tracks disclosure time, while the y-axis uses the numeric CVSS score.
OutlinePublic
May 7, 2026
CVE-2026-43889
Outline Access Control Issue
Access Control
CVSS score
6.5/10
Version 3.1
No write-up yetView CVE
CriticalHighMediumLowDetails withheld
CVE Records (66)
Public CVEs include readable metadata or advisories. Reserved CVEs show only the assigned number and score.
High / critical: 32
Stored XSS
MediumPublicCVSS 6.5/10Version 3.1
May 7, 2026
CVE-2026-43889
Outline Access Control Issue
Public advisory metadata records an access-control issue in Outline.
OutlineCVE metadata only
CriticalPublicCVSS 9.9/10Version 3.1
May 5, 2026
CVE-2026-43999
vm2 Sandbox Escape
Public advisory metadata records a critical vm2 sandbox escape discovered through BugBunny research.
vm2CVE metadata only
HighPublicCVSS 8.5/10Version 3.1
May 5, 2026
CVE-2026-43998
vm2 Sandbox Boundary Bypass
Public advisory metadata records a high-impact vm2 sandbox boundary bypass discovered through BugBunny research.
vm2CVE metadata only
MediumPublicCVSS 6.5/10Version 3.1
May 4, 2026
CVE-2026-42883
Audiobookshelf Access Control Issue
Public advisory metadata records an Audiobookshelf access-control issue discovered through BugBunny research.
AudiobookshelfCVE metadata only
MediumPublicCVSS 4.3/10Version 3.1
May 4, 2026
CVE-2026-42884
Audiobookshelf Authorization Issue
Public advisory metadata records an Audiobookshelf authorization issue discovered through BugBunny research.
AudiobookshelfCVE metadata only
MediumPublicCVSS 4.3/10Version 3.1
May 4, 2026
CVE-2026-42885
Audiobookshelf Authorization Issue
Public advisory metadata records an Audiobookshelf authorization issue discovered through BugBunny research.
AudiobookshelfCVE metadata only
MediumPublicCVSS 4.9/10Version 3.1
May 4, 2026
CVE-2026-42886
Audiobookshelf Authorization Issue
Public advisory metadata records an Audiobookshelf authorization issue discovered through BugBunny research.
AudiobookshelfCVE metadata only
HighReservedCVSS 7.8/10Version 3.1
April 22, 2026
CVE-2026-41590
CVE-2026-41590
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
MediumPublicCVSS 5.0/10Version 3.1
April 20, 2026
CVE-2026-41131
OpenFGA Authorization Issue
Public advisory metadata records an OpenFGA authorization issue discovered through BugBunny research.
OpenFGACVE metadata only
NoneReservedCVSS pending
April 20, 2026
CVE-2026-40914
CVE-2026-40914
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
NoneReservedCVSS pending
April 18, 2026
CVE-2026-40454
CVE-2026-40454
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
MediumPublicCVSS 5.3/10Version 3.1
April 16, 2026
CVE-2026-40304
zrok Broken Ownership Check
Public advisory metadata records a broken ownership check in zrok that affected frontend record deletion.
zrokCVE metadata only
MediumPublicCVSS 6.1/10Version 3.1
April 16, 2026
CVE-2026-40302
zrok OAuth Callback Reflected XSS
Public advisory metadata records a reflected XSS issue in zrok OAuth callback error rendering.
zrokCVE metadata only
MediumPublicCVSS 6.5/10Version 3.1
April 10, 2026
CVE-2026-40293
OpenFGA Authorization Issue
Public advisory metadata records an OpenFGA authorization issue discovered through BugBunny research.
OpenFGACVE metadata only
HighReservedCVSS 8.7/10Version 3.1
April 10, 2026
CVE-2026-40165
CVE-2026-40165
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
HighPublicCVSS 7.5/10Version 3.1
April 7, 2026
CVE-2026-35441
Directus Security Boundary Issue
Public advisory metadata records a high-impact Directus security boundary issue discovered through BugBunny research.
DirectusCVE metadata only
MediumPublicCVSS 5.0/10Version 3.1
April 6, 2026
CVE-2026-34972
OpenFGA Authorization Model Disclosure
Public advisory metadata records an OpenFGA authorization-model disclosure issue discovered through BugBunny research.
OpenFGACVE metadata only
HighPublicCVSS 8.7/10Version 3.1
April 4, 2026
CVE-2026-35214
Budibase Plugin Upload Path Traversal
Public advisory metadata records path traversal in Budibase plugin upload handling, enabling arbitrary directory deletion and file write.
BudibaseCVE metadata only
MediumPublicCVSS 5.3/10Version 3.1
April 2, 2026
CVE-2026-35413
Directus Security Boundary Issue
Public advisory metadata records a Directus security boundary issue discovered through BugBunny research.
DirectusCVE metadata only
HighPublicCVSS 7.1/10Version 3.1
April 2, 2026
CVE-2026-35412
Directus Security Boundary Issue
Public advisory metadata records a high-impact Directus security boundary issue discovered through BugBunny research.
DirectusCVE metadata only
HighPublicCVSS 8.1/10Version 3.1
April 1, 2026
CVE-2026-4800
lodash Template Code Injection
Public advisory metadata records code injection through lodash template imports key handling.
lodashCVE metadata only
MediumPublicCVSS 6.5/10Version 3.1
April 1, 2026
CVE-2026-34750
Payload Client Upload Filename Validation
Public advisory metadata records insufficient filename validation in Payload client-upload signed URL endpoints.
PayloadCVE metadata only
MediumPublicCVSS 5.4/10Version 3.1
April 1, 2026
CVE-2026-34749
Payload Authentication CSRF Bypass
Public advisory metadata records a CSRF protection bypass in Payload authentication flow.
PayloadCVE metadata only
HighPublicCVSS 8.7/10Version 3.1
April 1, 2026
CVE-2026-34748
Payload Admin Stored XSS
Public advisory metadata records stored cross-site scripting in Payload admin panel handling.
PayloadCVE metadata only
HighPublicCVSS 7.7/10Version 3.1
April 1, 2026
CVE-2026-34746
Payload Upload SSRF
Public advisory metadata records authenticated server-side request forgery in Payload upload functionality.
PayloadCVE metadata only
MediumPublicCVSS 4.3/10Version 3.1
March 28, 2026
CVE-2026-34595
Parse Server Authorization Issue
Public CVE metadata records a Parse Server authorization issue discovered through BugBunny research.
Parse ServerCVE metadata only
MediumPublicCVSS 5.4/10Version 3.1
March 28, 2026
CVE-2026-34574
Parse Server Authorization Issue
Public CVE metadata records a Parse Server authorization issue discovered through BugBunny research.
Parse ServerCVE metadata only
HighPublicCVSS 7.5/10Version 3.1
March 28, 2026
CVE-2026-34573
Parse Server Security Boundary Issue
Public CVE metadata records a high-impact Parse Server security boundary issue discovered through BugBunny research.
Parse ServerCVE metadata only
CriticalPublicCVSS 9.1/10Version 3.1
March 28, 2026
CVE-2026-34532
Parse Server Critical Authorization Issue
Public CVE metadata records a critical Parse Server authorization issue discovered through BugBunny research.
Parse ServerCVE metadata only
MediumReservedCVSS 5.3/10Version 3.1
March 26, 2026
CVE-2026-34198
CVE-2026-34198
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
HighReservedCVSS 8.0/10Version 3.1
March 26, 2026
CVE-2026-34171
CVE-2026-34171
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
MediumReservedCVSS 4.3/10Version 3.1
March 26, 2026
CVE-2026-34170
CVE-2026-34170
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
MediumReservedCVSS 5.0/10Version 3.1
March 26, 2026
CVE-2026-34167
CVE-2026-34167
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
HighReservedCVSS 8.8/10Version 3.1
March 26, 2026
CVE-2026-34158
CVE-2026-34158
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
NoneReservedCVSS pending
March 24, 2026
CVE-2026-34037
CVE-2026-34037
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
HighReservedCVSS 8.8/10Version 3.1
March 2026
CVE-2026-33016
CVE-2026-33016
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
HighPublicCVSS 8.1/10Version 3.1
March 2026
CVE-2026-33037
AVideo Default Admin Credential
Official AVideo Docker deployment defaults seeded the admin account with the predictable password `password` when operators left environment defaults unchanged.
AVideoRead advisory ->
HighPublicCVSS 8.1/10Version 3.1
March 2026
CVE-2026-33038
AVideo Installer Takeover
AVideo exposed an unauthenticated web installer that let remote attackers initialize fresh deployments with attacker-controlled admin credentials and database settings.
AVideoRead advisory ->
HighPublicCVSS 8.6/10Version 3.1
March 2026
CVE-2026-33039
AVideo LiveLinks Redirect SSRF
AVideo validated the initial LiveLinks URL but trusted redirect targets, enabling unauthenticated SSRF into internal services and cloud metadata endpoints.
AVideoRead advisory ->
MediumPublicCVSS 5.3/10Version 3.1
March 11, 2026
CVE-2026-31888
Shopware Store API User Enumeration
Shopware exposed whether an email address belonged to a valid customer by returning distinct error codes on Store API login requests.
ShopwareRead advisory ->
MediumPublicCVSS 6.5/10Version 3.1
March 9, 2026
CVE-2026-30973
Appium Zip Slip Arbitrary File Write
A missing throw in Appium’s ZIP extraction path traversal check made Zip Slip protection non-functional and allowed arbitrary file write.
@appium/supportRead advisory ->
HighPublicCVSS 8.1/10Version 3.1
March 2026
CVE-2026-29093
AVideo Exposed Memcached Session Store
AVideo’s default docker-compose stack published an unauthenticated memcached instance holding all PHP session data directly to the host network.
AVideoRead advisory ->
MediumPublicCVSS 5.3/10Version 4.0
March 2026
CVE-2026-28398
NocoDB Stored XSS via Comments and Rich Text
NocoDB rendered attacker-controlled comments and rich text with v-html and no sanitization, enabling stored XSS for viewers of affected records.
NocoDBRead advisory ->
MediumPublicCVSS 4.9/10Version 4.0
March 2026
CVE-2026-28396
NocoDB Refresh Tokens Survive Password Reset
NocoDB invalidated JWT versions on password reset but failed to delete existing refresh tokens, allowing stolen refresh tokens to survive the reset.
NocoDBRead advisory ->
MediumPublicCVSS 4.9/10Version 4.0
March 2026
CVE-2026-28361
NocoDB MCP Token Ownership Bypass
NocoDB’s MCP token service skipped ownership validation, allowing users with sufficient base permissions to manipulate another user’s token if they knew its ID.
NocoDBRead advisory ->
MediumPublicCVSS 4.3/10Version 3.1
March 2026
CVE-2026-3351
LXD Certificate Fingerprint Enumeration
LXD’s non-recursive certificate listing bypassed per-object authorization and leaked certificate fingerprints to restricted authenticated users.
LXDRead advisory ->
HighReservedCVSS 8.7/10Version 3.1
February 2026
CVE-2026-28445
CVE-2026-28445
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
MediumPublicCVSS 6.9/10Version 4.0
February 2026
CVE-2026-28351
pypdf RunLengthDecode Memory Exhaustion
Crafted RunLengthDecode streams in PDFs could trigger large memory consumption inside pypdf and exhaust process RAM.
pypdfRead advisory ->
MediumPublicCVSS 6.5/10Version 3.1
February 2026
CVE-2026-28217
Hoppscotch userCollection IDOR
Hoppscotch’s userCollection GraphQL query returned other users’ private collection data without verifying ownership, exposing secrets and request definitions.
HoppscotchRead advisory ->
CriticalPublicCVSS 9.1/10Version 3.1
February 24, 2026
CVE-2026-28215
Hoppscotch Infrastructure Configuration Overwrite
Public CVE metadata records unauthenticated infrastructure configuration overwrite in Hoppscotch onboarding configuration handling.
HoppscotchCVE metadata only
MediumReservedCVSS 6.5/10Version 3.1
February 2026
CVE-2026-28444
CVE-2026-28444
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
CriticalPublicCVSS 9.9/10Version 3.1
February 2026
CVE-2026-28384
LXD compression_algorithm Host RCE
Multiple LXD API endpoints passed user-controlled compression_algorithm strings into shell-parsed host commands, enabling authenticated host RCE.
LXDRead advisory ->
MediumReservedCVSS 6.6/10Version 3.1
February 2026
CVE-2026-27955
CVE-2026-27955
Disclosure details are withheld until the CVE or advisory is public.
Reserved CVEDetails withheld
HighPublicCVSS 7.8/10Version 3.1
February 2026
CVE-2026-27806
Fleet Orbit Tcl Injection Privilege Escalation
Fleet Orbit interpolated a local password into a Tcl/expect script without safe escaping, allowing local users to inject commands and escalate to root.
Fleet OrbitRead advisory ->
CriticalPublicCVSS 9.1/10Version 3.1
February 2026
CVE-2026-27471
ERPNext Missing Access Validation
Missing validation on sensitive ERPNext endpoints allowed unauthorized access to employee, invoice, and financial documents.
ERPNextRead advisory ->
MediumPublicCVSS 5.4/10Version 3.1
January 2026
CVE-2026-23630
Docmost Mermaid XSS
Unsanitized Mermaid SVG rendering enabled stored XSS against any user viewing a poisoned Docmost page.
DocmostRead advisory ->
HighPublicCVSS 8.8/10Version 3.1
January 12, 2026
CVE-2026-22807
vLLM auto_map RCE
vLLM loaded Hugging Face auto_map dynamic modules without honoring trust_remote_code, enabling arbitrary Python execution from untrusted models.
vLLMRead advisory ->
HighPublicCVSS 8.2/10Version 3.1
January 12, 2026
CVE-2026-21884
React Router ScrollRestoration XSS
Inline ScrollRestoration scripts failed to escape </script> sequences during SSR, allowing attacker-controlled XSS.
React RouterRead advisory ->
HighPublicCVSS 7.5/10Version 3.1
November 2025
CVE-2025-64756
glob CLI Command Injection
The glob CLI passed attacker-controlled filenames into shell execution paths, making malicious repositories executable.
glob CLIRead advisory ->
CriticalPublicCVSS 9.1/10Version 3.1
October 2025
CVE-2025-61686
React Router Path Traversal
Crafted session identifiers escaped React Router file session storage directories and enabled arbitrary file overwrite.
React RouterRead advisory ->
CriticalPublicCVSS 9.8/10Version 3.1
September 2025
CVE-2025-61622
Apache Fory Pickle RCE
Unsupported objects in pyfory/pyfury fell back to pickle.loads, enabling arbitrary code execution from crafted serialized data.
Apache ForyRead advisory ->
MediumPublicCVSS 5.3/10Version 3.1
August 2025
CVE-2025-59792
Apache Kvrocks Credential Exposure
Kvrocks MONITOR output leaked plaintext AUTH credentials, exposing passwords to low-privilege observers.
Apache KvrocksRead advisory ->
MediumPublicCVSS 5.4/10Version 3.1
August 2025
CVE-2025-59790
Apache Kvrocks Privilege Escalation
Namespace token validation flaws in Kvrocks allowed lower-privilege users to cross privilege boundaries.
Apache KvrocksRead advisory ->
HighPublicCVSS 7.6/10Version 3.1
July 2025
CVE-2025-59057
React Router Stored XSS
A stored XSS condition in React Router allowed attacker-supplied markup to persist and execute in downstream applications.
React RouterRead advisory ->
CriticalPublicCVSS 9.8/10Version 3.1
June 2025
CVE-2025-58434
Flowise Account Takeover
Flowise leaked password reset material in a way that enabled full account takeover across local and cloud deployments.
FlowiseRead advisory ->
Want coverage like this?
BugBunny runs coordinated AI agents to surface exploitable issues before attackers do, then packages the results into audit-ready findings and CVE-quality disclosures.