// case studies
Real CVEs. Real code. PullLight caught them.
Nine critical vulnerabilities across popular npm and Python packages — flagged by AI review before they shipped. Ordered by CVSS score.
10.0
CVSS
CVE-2025-55182
RCE via Unvalidated RSC Deserialization
React2Shell RCE
→
10.0
CVSS
CVE-2026-44005
Prototype Pollution / Sandbox Escape
vm2 Sandbox Escape
→
9.2
CVSS
CVE-2025-68428
Path Traversal via Unsanitized File Write
jsPDF Path Traversal
→
9.1
CVSS
CVE-2024-49768
TOCTOU Race in HTTP Pipelining
Waitress TOCTOU Race
→
9.0
CVSS
CVE-2024-21534
Sandbox Escape via unsafe vm.compile
jsonpath-plus RCE
→
8.6
CVSS
CVE-2026-44578
WebSocket Upgrade Handler SSRF
Next.js WebSocket SSRF
→
8.1
CVSS
CVE-2024-29415
SSRF via IPv4/IPv6 Canonicalization Bypass
ip Package SSRF Bypass
→
7.2
CVSS
CVE-2025-29927
Auth Bypass via Middleware Logic Gap
Next.js Auth Bypass
→
Want PullLight watching your PRs?
Catches bugs like these before they merge — no config required.
Try the live demo →
Catches bugs like these before they merge — no config required.