CVE Archive

NuGet Vulnerability Archive

Recent and critical CVEs affecting NuGet packages. Kodem’s runtime-powered SCA identifies which are actually reachable in your applications.

Top affected packages

Magick.NET-Q16-AnyCPU 14 CVEs
CoreWCF.Primitives 7 CVEs
tinymce 4 CVEs
CoreWCF.UnixDomainSocket 2 CVEs
Umbraco.Cms 2 CVEs
CoreWCF.NetNamedPipe 1 CVE
CoreWCF.Kafka 1 CVE
CoreWCF.NetFramingBase 1 CVE
NCalc.Core 1 CVE
Microsoft.NETCore.App.Runtime.linux-x64 1 CVE

Recent NuGet CVEs

CVE

Package / summary

Severity

CoreWCF.Primitives · CoreWCF: SPNEGO SecurityContextToken proof key wrapped without confidentiality

CoreWCF.Primitives · CoreWCF: XML Signature Wrapping in WS-Security endorsing/supporting signature…

CoreWCF.Primitives · CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature…

CoreWCF.Primitives · CoreWCF: SAML SubjectConfirmation methods and holder-of-key proof keys are not…

CoreWCF.Primitives · CoreWCF: SAML token replay protection is inoperative

CoreWCF.UnixDomainSocket · CoreWCF: UnixDomainSocket Non-Reentrant POSIX Identity Resolution

CoreWCF.NetNamedPipe · CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe…

CoreWCF.UnixDomainSocket · CoreWCF: Unix Domain Socket PosixIdentity transport accepts connections that…

CoreWCF.Kafka · CoreWCF: Kafka consume pump halts permanently on a Kafka tombstone (null-value…

CoreWCF.Primitives · CoreWCF: SamlSerializer skips SignatureValue verification when SAML signing…

CoreWCF.Primitives · CoreWCF: WS-Security signature substitution via document-wide Signature lookup

CoreWCF.NetFramingBase · CoreWCF: Pre-authentication infinite-loop CPU exhaustion in CoreWCF net.tcp /…

NCalc.Core · NCalc: Denial of Service via Unbounded and Non-Terminating Factorial Evaluation

Microsoft.NETCore.App.Runtime.linux-x64 · Microsoft Security Advisory CVE-2026-45491 – .NET Tampering Vulnerability

Microsoft.AspNetCore.App.Runtime.linux-x64 · Microsoft Security Advisory CVE-2026-45591 – ASP.NET Core Denial of Service…

MessagePack · MessagePack's LZ4 decompression may fail with AccessViolationException after…

tinymce · TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin…

tinymce · TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected`…

tinymce · TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce-…

tinymce · TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass…

Magick.NET-Q16-AnyCPU · ImageMagick: Heap Buffer Over-Read in distributed pixel cache server

Magick.NET-Q16-AnyCPU · ImageMagick: Information Disclosure in distributed pixel cache server because…

Magick.NET-Q16-AnyCPU · ImageMagick: Race Condition in distributed pixel cache server can result in…

Magick.NET-Q16-AnyCPU · ImageMagick: Heap Buffer Over-Write in distributed pixel cache server

Umbraco.Cms · Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Umbraco.Cms · Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers

OpenMcdf · OpenMcdf: Uncatchable infinite loop in DirectoryTree.TryGetDirectoryEntry on…

Magick.NET-Q16-AnyCPU · ImageMagick: Heap Buffer Over-Write of a single byte in the JP2 encoder.

Magick.NET-Q16-AnyCPU · ImageMagick: Stack overflow in fx operation

Magick.NET-Q16-AnyCPU · ImageMagick: Use-After-Free in MSL decoder.

Magick.NET-Q16-AnyCPU · ImageMagick: Infinite Loop in the MIFF decoder can lead to CPU exhaustion

Magick.NET-Q16-AnyCPU · ImageMagick: Heap Buffer Over-Write in MIFF encoder when using LZMA compression

Magick.NET-Q16-AnyCPU · ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images…

Magick.NET-Q16-AnyCPU · ImageMagick: Policy Bypass in MNG coder could

Magick.NET-Q16-AnyCPU · ImageMagick: Heap Buffer Over-Read of a 4 bytes in distort operation.

Microsoft.WindowsDesktop.App.Runtime.win-arm64 · Microsoft Security Advisory CVE-2026-35433 – .NET Elevation of Privilege…

Microsoft.AspNetCore.App.Runtime.win-arm · Microsoft Security Advisory CVE-2026-42899 – ASP.NET Core Denial of Service…

Microsoft.NetCore.App.Runtime.win-arm · Microsoft Security Advisory CVE-2026-32175 – .NET Core Tampering Vulnerability

Magick.NET-Q16-AnyCPU · ImageMagick: Policy Bypass in PSD decoder

Magick.NET-Q16-AnyCPU · ImageMagick: Out-of-Bounds Read of a single byte in meta encoder

Stop the waste.
Protect your environment with Kodem.

Get a personalized demo

Get a personalized demo