Lucene search
+L

87 matches found

Cvelist
Cvelist
added yesterday28 views

CVE-2026-8481 Remote Code Execution via Code Validation Endpoint

IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec function without sandboxing, input...

9.9CVSS
Exploits0References1
Vulnrichment
Vulnrichment
added yesterday10 views

CVE-2026-8481 Remote Code Execution via Code Validation Endpoint

IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec function without sandboxing, input...

9.9CVSS6.9AI score
Exploits0References1
EUVD
EUVD
added yesterday7 views

EUVD-2026-45275

IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec function without sandboxing, input...

9.9CVSS6.9AI score
Exploits0References1
CVE
CVE
added yesterday30 views

CVE-2026-9198

IBM Langflow OSS versions 1.0.0–1.10.0 are affected by CVE-2026-9198: unauthenticated attackers chain /api/v1/auto_login (issues superuser tokens) with /api/v1/validate/code (exec() of user code) to achieve full RCE on default deployments. The root cause is the combination of an open auto-login e...

9.8CVSS5.4AI score
Exploits0References1
Cvelist
Cvelist
added yesterday34 views

CVE-2026-9198 Unauthenticated Remote Code Execution via Auto-Login Bypass and Code Validation

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/autologin mints SUPERUSER tokens to any network caller with /api/v1/validate/code executes user code via exec to achieve full RCE on default Langflow deployments...

9.8CVSS
Exploits0References1
Vulnrichment
Vulnrichment
added yesterday5 views

CVE-2026-9198 Unauthenticated Remote Code Execution via Auto-Login Bypass and Code Validation

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/autologin mints SUPERUSER tokens to any network caller with /api/v1/validate/code executes user code via exec to achieve full RCE on default Langflow deployments...

9.8CVSS5.5AI score
Exploits0References1
Cvelist
Cvelist
added 2026/06/30 7:13 p.m.45 views

CVE-2026-7873 Code Injection Vulnerability in Code Validation Endpoint

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated attackers to execute arbitrary OS commands and read sensitive files including credentials, enabling complete system compromise and lateral movement...

9.9CVSS0.00294EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/29 7:48 p.m.6 views

Security Bulletin: Code Injection Vulnerability in Code Validation Endpoint

Summary A code injection vulnerability was identified in the code validation endpoint that allowed authenticated users to execute arbitrary code on the server. The vulnerability existed in the validation logic which compiled and executed function definitions to check for import errors. Attackers...

9.9CVSS6.6AI score0.00294EPSS
Exploits0Affected Software1
NVD
NVD
added 2026/06/29 6:16 p.m.9 views

CVE-2026-57959

Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the...

8.2CVSS0.00193EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/29 5:24 p.m.9 views

EUVD-2026-40144

Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the...

8.2CVSS5.8AI score0.00193EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 12:16 p.m.30 views

CVE-2026-34030

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, does not sufficiently validate the branch code when a new branch is created. The branch code is later used in multiple application functions, including filesystem path generation for uploaded files, profile pictures, and...

6.9CVSS0.00327EPSS
Exploits1References2
CVE
CVE
added 2026/06/15 10:5 a.m.21 views

CVE-2026-34030

The CVE concerns Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) where branch code validation is insufficient during new-branch creation. The branch code is later used in functions that generate filesystem paths for uploaded files, profile pictures, and settings. An authenticat...

6.9CVSS5.4AI score0.00327EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/06/15 10:5 a.m.39 views

CVE-2026-34030 Improper branch-code validation in Wertheim SafeController Software allows file path manipulation

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, does not sufficiently validate the branch code when a new branch is created. The branch code is later used in multiple application functions, including filesystem path generation for uploaded files, profile pictures, and...

6.9CVSS0.00327EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/30 9:11 p.m.7 views

CVE-2026-6543 Authenticated Remote Code Execution Vulnerability in Langflow Code Validation Endpoint

IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables API keys, DB credentials, modifying files, or launching further attacks on the internal netwo...

8.8CVSS6AI score0.0047EPSS
Exploits0References1
CVE
CVE
added 2026/04/30 9:11 p.m.20 views

CVE-2026-6543

CVE-2026-6543 affects IBM Langflow (OSS 1.0.0–1.8.4 and Desktop 1.0.0–1.8.4). The root cause is unsafe use of Python’s exec() in the code validation endpoint (validate_code) which fails to account for decorators, enabling an authenticated attacker to trigger arbitrary code execution with the Lang...

8.8CVSS5.7AI score0.0047EPSS
Exploits0References1Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/28 8:56 p.m.6 views

Security Bulletin: Authenticated Remote Code Execution Vulnerability in Langflow Code Validation Endpoint

Summary IBM Langflow Desktop contains a vulnerability in its code validation functionality where the /api/v1/validate/code endpoint uses Python's exec to process user-supplied input and fails to account for decorator execution during function definition parsing, allowing authenticated attackers t...

8.8CVSS6.3AI score0.0047EPSS
Exploits0Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/21 7:24 p.m.8 views

CVE-2026-40887 @vendure/core has a SQL Injection vulnerability

Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression...

9.1CVSS6.1AI score0.01762EPSS
Exploits1References1
OSV
OSV
added 2026/03/26 6:31 p.m.2 views

GHSA-V8HW-MH8C-JXFC Langflow has Authenticated Code Execution in Agentic Assistant Validation

Description 1. Summary The Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class...

9.3CVSS6.6AI score0.01426EPSS
Exploits1References19
NVD
NVD
added 2026/03/18 4:16 p.m.7 views

CVE-2026-24062

The "Privileged Helper" component of the Arturia Software Center MacOS does not perform sufficient client code signature validation when a client connects. This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation...

7.8CVSS0.00122EPSS
Exploits1References1
CVE
CVE
added 2026/03/09 10:19 p.m.16 views

CVE-2026-28513

Pocket ID is an OIDC provider. Before version 2.4.0, the token endpoint could accept an authorization code that is expired when the client ID is correct, enabling cross-client code reuse and expired-code reuse. The issue is fixed in 2.4.0. No exploitation path details are provided beyond that, an...

8.5CVSS5.8AI score0.00257EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder