Solution sectors / oss-libraries
Open Source Libraries
Open source libraries are reused across millions of projects, so one vulnerable package can cascade through the supply chain. This hub tracks CVEs across the major language package ecosystems and frameworks.
generic-library · 656npm · 148web-framework · 118pypi · 20crates-io · 13nuget · 12go · 8rubygems · 4maven · 2hex · 1packagistpub
Cumulative CVEs
47,429
across 287 monthly snapshots
Latest month
1,505
+28.1% MoM · +258.3% YoY
Peak month
1,600
Mar 26
KEV this month
0
326 vendors affected
CVEs per month
Newest period on the right. Click a point to open that monthly report.
Deployment mix
How this sector's software is typically delivered — whether you patch it yourself or a vendor does. AI-assisted vendor classification.
- Library90%
- On-prem6%
- Mixed4%
Latest CVEs in this sector
The 15 most recently published vulnerabilities tagged to Open Source Libraries.
- CVE-2026-56377ImageMagick - Policy Bypass via Incorrect Path Validation3.3
- CVE-2026-56365ImageMagick - Memory Leak in PNG Encoder via MNG Image Writing3.7
- CVE-2026-56369ImageMagick - Information Disclosure via AES-CTR Nonce Reuse in PasskeyEncipherImage3.7
- CVE-2026-56364ImageMagick - Memory Leak in LoadOpenCLDeviceBenchmark() via Malformed XML1.9
- CVE-2026-56361ImageMagick - Heap Buffer Overflow via Off-by-One in Morphology Processing3.3
- CVE-2026-56363ImageMagick - Division by Zero in Binomial Kernel Processing3.3
- CVE-2026-56334Capgo - Missing UPDATE RLS Policy for Build Status Persistence4.3
- CVE-2026-56333Capgo - Server-Side Validation Bypass via Direct Browser-Side Organization Security Settings Updates4.3
- CVE-2026-56328Capgo - Integrity Issue in Release Routing via Multiple Public Channels6.5
- CVE-2026-56331Capgo - Improper Error Handling in Accept Invitation Endpoint via Invalid Magic String5.3
- CVE-2026-56327Capgo - Unauthenticated Organization Existence Oracle via public.invite_user_to_org RPC5.3
- CVE-2026-56320Capgo - Org/App Scope Mismatch in Device Creation Endpoint7.1
- CVE-2026-56300Capgo - Unauthenticated API Key Validity and Permission Oracle via RPC Functions7.5
- CVE-2026-56318Capgo - Information Disclosure via /private/validate_password_compliance Endpoint5.3
- CVE-2026-56286Capgo - Account Deletion Without Password Confirmation8.1
Weakness fingerprint
Top CWE classes in this sector, latest monthly snapshot.
Top vendors
Most CVEs in this sector, latest monthly snapshot.
| Vendor | CVEs | Crit | KEV |
|---|---|---|---|
| pypi | 98 | · | · |
| npm | 89 | · | · |
| spring | 72 | · | · |
| capgo | 61 | 1 | · |
| imagemagick | 41 | · | · |
| go | 35 | · | · |
| picklescan | 34 | 8 | · |
| wolfssl | 32 | 2 | · |
| gpac | 28 | · | · |
| netty | 25 | 1 | · |
Subsectors
Breakdown for the latest monthly snapshot.
| Subsector | CVEs | Crit | KEV | Vendors | MoM | Top products |
|---|---|---|---|---|---|---|
| generic-library | 656 | 66 | · | 184 | — | capgo (73) · imagemagick (41) · wolfssl (32) |
| — | 523 | 36 | · | 61 | — | picklescan (44) · praisonai (36) · gpac (28) |
| npm | 148 | 6 | · | 21 | — | openclaw (86) · pnpm (13) · axios (9) |
| web-framework | 118 | 1 | · | 39 | — | aiohttp (22) · angular (17) · angularjs (16) |
| pypi | 20 | · | · | 10 | — | python-multipart (8) · pypdf (6) · kafka-python (4) |
| crates-io | 13 | 1 | · | 2 | — | messagepack (12) · tiny-regex-c (1) |
| nuget | 12 | 1 | · | 1 | — | messagepack-csharp (12) |
| go | 8 | · | · | 5 | — | golang.org/x/image/tiff (2) · github.com/fission/fission (1) · github.com/kahiteam/kahi (1) |
| rubygems | 4 | · | · | 1 | — | net-imap (3) · json (1) |
| maven | 2 | · | · | 1 | — | logback (1) · logback-core (1) |
| hex | 1 | · | · | 1 | — | ex_aws_sns (1) |
Sector classification is AI-assisted with human review. How tagging works · Report a misclassification