255766 matches found
CVE-2026-13448 Langflow is affected by remote code execution, denial of service, path traversal, and exposed credentials due to multiple unauthenticated and insufficiently authorized API endpoints
IBM Langflow OSS 1.0.0 through 1.10.1 Lanflow OSS contains an unauthenticated remote code execution vulnerability in the public flow build endpoint /api/v1/buildpublictmp/flowid/flow . The vulnerability stems from an incomplete denylist in the validatepublicflownocodeexecution function that fails...
CVE-2026-13448
IBM Langflow OSS 1.0.0 through 1.10.1 Lanflow OSS contains an unauthenticated remote code execution vulnerability in the public flow build endpoint /api/v1/buildpublictmp/flowid/flow . The vulnerability stems from an incomplete denylist in the validatepublicflownocodeexecution function that fails...
CVE-2026-13473 IBM Storage Protect Client is vulnerable to Heap-Based Buffer Overflow
IBM Storage Protect Client 8.1.0.0 through 8.1.27.0, 8.1.27.1, and 8.2.0.0 through 8.2.1.0 IBM Storage Protect is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. A remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server ...
CVE-2026-13473
IBM Storage Protect Client 8.1.0.0 through 8.1.27.0, 8.1.27.1, and 8.2.0.0 through 8.2.1.0 IBM Storage Protect is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. A remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server ...
CVE-2026-14499 Langflow is affected by remote code execution, denial of service, path traversal, and exposed credentials due to multiple unauthenticated and insufficiently authorized API endpoints
IBM Langflow OSS 1.0.0 through 1.10.1 Langflow could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input in the Python Interpreter component...
CVE-2026-14499
IBM Langflow OSS 1.0.0 through 1.10.1 Langflow could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input in the Python Interpreter component...
CVE-2026-15069 Multiple Vulnerabilities in IBM Engineering AI hub.
IBM Engineering AI Hub 1.0.0, 1.1.0, and 1.2.0 could allow a remote attacker to execute arbitrary script code due to improper neutralization of input during web page generation...
CVE-2026-7755 MCP Server Configuration Validator Bypass via File Upload API
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow remote code execution due to incomplete validation enforcement on MCP server configuration files...
CVE-2026-7755
The IBM Security Bulletin confirms CVE-2026-7755 affects Langflow OSS versions 1.0.0–1.10.0, where the File Manager API may bypass MCP server configuration validation during file uploads. A maliciously crafted MCP configuration file (e.g., mcp_servers .json) could be uploaded via upload_user_file...
CVE-2026-45162
Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, multiple Pimcore locations call PHP's unserialize on data from database columns and filesystem files without the allowedclasses restriction, including lib/Tool/Authentication.php, models/Site/Dao.php...
CVE-2026-63030 WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution
WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the authornotin WPQuery SQL Injection CVE-2026-60137, could allow an attacker to perform SQL Injection and achieve Remote Code Execution...
CVE-2026-63030 WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution
WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the authornotin WPQuery SQL Injection CVE-2026-60137, could allow an attacker to perform SQL Injection and achieve Remote Code Execution...
CVE-2026-63030
WordPress 6.9.x before 6.9.5 and 7.0.x before 7.0.2 is affected by a REST API batch endpoint route confusion issue which, combined with the authornotin WPQuery SQL Injection CVE-2026-60137, could allow an attacker to perform SQL Injection and achieve Remote Code Execution...
CVE-2026-8476 Disk Cache Deserialization Remote Code Execution Vulnerability
IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the disk-based caching mechanism. The AsyncDiskCache class uses Python's unsafe pickle.loads function to deserialize cached objects from disk without validation, integrity verification, or...
CVE-2026-8476
Langflow OSS versions 1.0.0–1.10.0 are impacted by a remote code execution vulnerability in the disk-based cache. The AsyncDiskCache deserializes cached items with unsafe pickle.loads() without validation, allowing arbitrary code execution when an attacker can influence cached data (e.g., through...
CVE-2026-8481 Remote Code Execution via Code Validation Endpoint
IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec function without sandboxing, input...
CVE-2026-8481 Remote Code Execution via Code Validation Endpoint
IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec function without sandboxing, input...
CVE-2026-8505 Authentication Bypass in Webhook Endpoints Allowed Unauthorized Flow Execution
IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses API key validation when the WEBHOOKAUTHENABLE configuration is set to False which is the default...
CVE-2026-8505
CVE-2026-8505 affects Langflow OSS 1.0.0–1.10.0. A flaw in the webhook authentication logic bypasses API key validation when WEBHOOK_AUTH_ENABLE is False (default), allowing unauthenticated remote execution of any flow and potentially RCE/DoS. IBM’s bulletin confirms the vulnerability and that th...
CVE-2026-45162 Pimcore: Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction
Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, multiple Pimcore locations call PHP's unserialize on data from database columns and filesystem files without the allowedclasses restriction, including lib/Tool/Authentication.php, models/Site/Dao.php...