Lucene search
K

70 matches found

Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-15191 mettle sendportal Campaign Creation Endpoint CampaignStoreRequest.php authorization

A flaw has been found in mettle sendportal up to 3.0.1. This vulnerability affects unknown code of the file vendor/mettle/sendportal-core/src/Http/Requests/CampaignStoreRequest.php of the component Campaign Creation Endpoint. Executing a manipulation can lead to authorization bypass. The attack c...

6.5CVSS0.0022EPSS
Exploits0References6
CVE
CVE
added 2026/06/25 6:55 p.m.15 views

CVE-2026-2299

CVE-2026-2299 affects the Mattermost Google Drive plugin prior to version 1.1.0. The file creation endpoint does not validate channel membership, allowing authenticated users with a connected Google account to share Google Drive files into unauthorized private channels and disclose private channe...

4.2CVSS5.8AI score0.00119EPSS
Exploits0References1
OSV
OSV
added 2026/06/23 4:29 p.m.6 views

CVE-2026-42867 Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API POST /api/v1/knowledgebases. This occurs because user-supplied knowledge base names are used directly to create file paths without...

6.5CVSS6AI score0.00313EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/06/16 5:35 p.m.11 views

Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API POST /api/v1/knowledgebases. This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw...

6.5CVSS5.5AI score0.00313EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/06/12 7:51 p.m.12 views

EUVD-2026-36552

A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create followed by save...

8.4CVSS5.4AI score0.00226EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/10 10:15 p.m.6 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the create and store functions in ApiEntityListQuickCreationCommandController.php. A user can create or submit new records on the Quick Creation Command endpoint for any entity with Quick Creation Command...

5.4CVSS5.4AI score0.00213EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:48 p.m.9 views

CVE-2026-36341

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

5.4CVSS5.5AI score0.0021EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.11 views

CVE-2026-6598

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function createproject/encryptauthsettings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument authsetting...

5.3CVSS4.9AI score0.00152EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:38 p.m.9 views

CVE-2026-34722

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4...

6.9CVSS5.4AI score0.00167EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/13 2:22 p.m.10 views

CVE-2026-31245

The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...

5.3CVSS6AI score0.00335EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 6:16 p.m.10 views

CVE-2026-31245

The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...

5.3CVSS0.00335EPSS
Exploits0References2
OSV
OSV
added 2026/05/12 12:0 a.m.4 views

CVE-2026-31245

The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...

5.3CVSS6.1AI score0.00335EPSS
Exploits0References4
OSV
OSV
added 2026/05/08 7:45 p.m.7 views

GHSA-9VVH-QMJX-P4Q8 Open WebUI's Base Model Routing Bypasses Access Control via Model Chaining

Base Model Routing Bypasses Access Control via Model Chaining Affected Component Model chaining via basemodelid: - backend/openwebui/routers/models.py lines 170-214, createnewmodel - backend/openwebui/routers/models.py lines 254-308, importmodels - backend/openwebui/main.py lines 1696-1711, base...

7.6CVSS6AI score0.00248EPSS
Exploits1References3
NVD
NVD
added 2026/04/28 10:16 p.m.11 views

CVE-2026-41649

Outline is a service that allows for collaborative documentation. The shares.create API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both collectionId and documentId are provided in the request, the authorization logic only checks...

7.7CVSS0.00293EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.10 views

PT-2026-34841

Name of the Vulnerable Software and Affected Versions Press affected versions not specified Description Press, a Frappe custom app used for managing infrastructure, subscriptions, marketplace, and software-as-a-service SaaS, contains a flaw in the 'press.api.account.create api secret' endpoint...

8.7CVSS5.8AI score0.00165EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/23 3:7 p.m.6 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via import flow. An attacker can gain remote code execution using company creation endpoint that improperly checks for admin rights in authenticated mode deployment with default configuration. Remediation Upgrade...

10CVSS6.5AI score0.01972EPSS
Exploits5References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.7 views

Missing Authorization

Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to Missing Authorization via import flow. An attacker can gain remote code execution using company creation endpoint that improperly checks for admin rights in authenticated mode...

10CVSS6.5AI score0.01972EPSS
Exploits5References2
Positive Technologies
Positive Technologies
added 2026/04/23 12:0 a.m.16 views

PT-2026-34745

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key id and internal state fields of DocumentStore entities. Because the...

7.6CVSS5.8AI score0.00333EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/20 2:45 a.m.48 views

CVE-2026-6598 langflow-ai langflow Project Creation Endpoint projects.py encrypt_auth_settings cleartext storage in file

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function createproject/encryptauthsettings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument authsetting...

5.3CVSS0.00152EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/20 2:45 a.m.5 views

CVE-2026-6598 langflow-ai langflow Project Creation Endpoint projects.py encrypt_auth_settings cleartext storage in file

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function createproject/encryptauthsettings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument authsetting...

5.3CVSS5.3AI score0.00152EPSS
Exploits0References4
Rows per page
Query Builder