2850 matches found
CVE-2026-14499 Langflow is affected by remote code execution, denial of service, path traversal, and exposed credentials due to multiple unauthenticated and insufficiently authorized API endpoints
IBM Langflow OSS 1.0.0 through 1.10.1 Langflow could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input in the Python Interpreter component...
CVE-2026-14499
CVE-2026-14499 affects Langflow OSS 1.0.0–1.10.1. An authenticated user could execute arbitrary commands with elevated privileges due to improper validation of user-supplied input in the Python Interpreter component, resulting in OS command injection (CWE-78). IBM’s bulletin assigns CVSS v3.1 bas...
CVE-2026-14971
CVE-2026-14971 affects IBM PowerVM Novalink (NovaLink APIs) with misconfiguration that can increase attack surface and enable unintended/unauthorized operations under non-default conditions. Affected PowerVM Novalink versions include 2.2.0, 2.2.1, 2.2.1.1 and 2.3.0, 2.3.0.1, 2.3.1, 2.3.2. IBM rep...
Vanna - SQL injection
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents . This can lead to...
CyberPower - Missing Authentication
An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. id: CVE-2024-32735 info: name: CyberPower - Missing Authentication author: DhiyaneshDK severity: critical description: | An issue regarding missing authentication for certai...
EUVD-2026-44689
Cloudreve is a self-hosted file management and sharing system. From 4.12.0 until 4.16.1, Cloudreve's OAuth access tokens are issued without the OAuth clientid claim, so the JWT verifier does not load token scopes into request context and RequiredScopes treats the request like non-scoped session...
JLSEC-2026-733 When restoring a session from cache, a pointer from the serialized session data is used in a free...
When restoring a session from cache, a pointer from the serialized session data is used in a free operation without validation. An attacker who can poison the session cache could trigger an arbitrary free. Exploitation requires the ability to inject a crafted session into the cache and for the...
JLSEC-2026-739 AES-GCM encryption/decryption with extremely large cumulative single message sizes (>64 GiB) were...
AES-GCM encryption/decryption with extremely large cumulative single message sizes 64 GiB were not properly rejected by the streaming APIs, allowing counter wrap, keystream reuse, and consequent plaintext recovery...
Security Bulletin: Langflow is affected by remote code execution, denial of service, path traversal, and exposed credentials due to multiple unauthenticated and insufficiently authorized API endpoints
Summary Langflow provides a visual interface for constructing and executing AI-powered agent workflows, exposing HTTP API endpoints for flow execution, file management, vector store operations, and Model Context Protocol MCP server configuration. An attacker could exploit insufficient validation...
EUVD-2026-43544
Argo CD Helm Chart before 10.0.0 fails to install network policies by default, allowing any pod on a cluster to access repo-server and other Argo APIs. Attackers can exploit this unrestricted network access through combined attacks to achieve cluster compromise and remote code execution...
EUVD-2026-43559
9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the Next.js API routes under...
Malicious code in polygon-gama-apis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0e5efa9d57dae04a6082dfa776d2c2664f3ce5a838ed9cf56f40656937b7e92 polygon-gama-apis exports getPlugin, which fetches JSON from https://bet.slotgambit.com/icons/111 and passes the response field data.credits directly...
Malicious code in polygon-gamma-apis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a49bd3ddb3340e0ef3c76465b6e275d45ddc8eecdbd742747acde8588a2018b4 [email protected] advertises itself as a 'TypeScript SDK for the Polymarket CLOB API' but ships no Polymarket API surface. The exported...
EUVD-2026-42811
Improper access control in IAFDService prior to SMR Jul-2026 Release 1 allows local privileged attackers to use the privileged APIs...
CVE-2026-21040
Improper access control in IAFDService prior to SMR Jul-2026 Release 1 allows local privileged attackers to use the privileged APIs...
CVE-2026-21040
Improper access control in IAFDService prior to SMR Jul-2026 Release 1 allows local privileged attackers to use the privileged APIs...
Malicious code in polymarket-apis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd77c8861490c0b5607b4029f8f9e51f12efb83a6696fc51b953b0a3cde1356b The package impersonates the Polymarket brand name polymarket-apis, author polymarket but contains no Polymarket API integration. Its exported...
Malicious code in polymarket-trader-apis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 54436b6dea3d66e295c1ca82184b4f4b904d8441a68e77845f37cbb039c5f3c9 [email protected] advertises itself as a Polymarket trading helper but its main entry is a remote code loader. The default-exported...
OESA-2026-2932 libidn security update
GNU Libidn is a fully documented implementation of the Stringprep, Punycode and IDNA 2003 specifications. Libidn's purpose is to encode and decode internationalized domain names. Security Fixes: GNU libidn before 1.44 is prone to out-of-bounds reads of uninitialized memory in the ToUnicode APIs...
Important: Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.6.12
Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.6.12 General Availability release, with updates to container images. Assisted Installer RHEL 9 integrates components for the general multicluster engine for Kubernetes 2.6.12 release that simplify the process of...