Migration toolkit for virtualization
This hub aggregates every CVE we track for Migration toolkit for virtualization, a product in the devtools ci space. Use it to gauge the current risk picture and drill into individual advisories.
23
CVEs tracked
3
Critical
13
High
1
In CISA KEV
Severity distribution
HIGH13MEDIUM6CRITICAL3LOW1
Monthly trend
0
2
0
0
0
0
1
0
0
0
2
0
0
0
0
0
2
1
0
3
0
0
0
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Migration toolkit for virtualization.
- CVE-2026-33748BuildKit Git URL subdir component can cause access to restricted files7.5
- CVE-2026-33747BuildKit vulnerable to malicious frontend causing file escape outside of storage root8.4
- CVE-2026-25645Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function4.4
- CVE-2026-23490pyasn1 has a DoS vulnerability in decoder7.5
- CVE-2025-66471urllib3 Streaming API improperly handles highly compressed data7.5
- CVE-2025-66418urllib3 allows an unbounded number of links in the decompression chain7.5
- CVE-2025-50182urllib3 does not control redirects in browsers and Node.js5.3
- CVE-2025-50181urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation5.3
- CVE-2024-11831Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript5.4
- CVE-2024-45801Tampering by prototype polution in DOMPurify7.3
- CVE-2024-8509Migration toolkit for virtualization: forklift-controller: empty bearer token may perform authentication7.5
- CVE-2024-24790Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip9.8
- CVE-2023-42282The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.9.8
- CVE-2023-26159Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, ...7.3
- CVE-2023-44487The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.KEV7.5
Product normalization is registry-driven with AI assist and human review. How it works