Lucene search
+L

12 matches found

CVE
CVE
added 2 days ago20 views

CVE-2026-49209

The CVE-2026-49209 issue affects Symfony UX LiveComponent’s BatchActionController::__invoke(), which iterates over client-supplied actions and issues a full HttpKernel sub-request per entry. With unbounded action arrays, an authenticated attacker can submit a single _batch request containing thou...

5.3CVSS5.3AI score0.00268EPSS
Exploits0References4
CVE
CVE
added 2026/06/18 9:1 p.m.78 views

CVE-2026-49257

Summary of CVE-2026-49257 – mcp-pinot : Versions 3.0.1 and earlier run an HTTP MCP server bound to 0.0.0.0:8080 with no authentication, exposing all MCP tools (SQL query execution, schema creation, table-config mutation) to any network-adjacent caller. The server proxies these calls using server-...

10CVSS5.6AI score0.00498EPSS
Exploits0References4
NVD
NVD
added 2026/04/23 10:16 p.m.10 views

CVE-2026-41274

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that ar...

9.8CVSS0.00504EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/23 9:12 p.m.3 views

CVE-2026-41274 Flowise: Cypher Injection in GraphCypherQAChain

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that ar...

9.3CVSS5.9AI score0.00504EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/23 7:52 p.m.6 views

CVE-2026-41278

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...

8.7CVSS5.8AI score0.00421EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/04/23 7:52 p.m.37 views

CVE-2026-41278 Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...

8.7CVSS0.00421EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/23 7:13 p.m.12 views

CVE-2026-41268

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution RCE vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined wi...

7.7CVSS7.5AI score0.13789EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/03/11 7:25 p.m.7 views

EUVD-2026-11321

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 3.0.0 to before 3.1.0, if Himmelblau is deployed without a configured tenant domain in himmelblau.conf, authentication is not tenant-scoped. In this mode, Himmelblau can accept authentication attempts for...

10CVSS5.9AI score0.00501EPSS
Exploits0References1
EUVD
EUVD
added 2026/02/27 7:29 p.m.12 views

EUVD-2026-9052

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in POST /api/v1/auth/jellyfin allows an unauthenticated attacker to register a new Seerr account on any Plex-configure...

7.3CVSS5.9AI score0.00506EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/02/27 12:0 a.m.11 views

PT-2026-22381

Name of the Vulnerable Software and Affected Versions Seerr versions prior to 3.1.0 Description Seerr, an open-source media request and discovery manager for Jellyfin, Plex, and Emby, contains a flaw where authenticated users can access and modify data belonging to other users. This is due to the...

5.4CVSS5.9AI score0.00215EPSS
Exploits0References7
CVE
CVE
added 2026/02/24 9:11 p.m.26 views

CVE-2026-25899

CVE-2026-25899 affects GoFiber (Fiber) v3 branch prior to 3.1.0. The issue arises from the use of the fiber_flash cookie, which can trigger unbounded memory allocation (up to ~85 GB) via unvalidated MsgPack deserialization. A crafted 10-character cookie causes the allocation, with no authenticati...

7.5CVSS5.3AI score0.00396EPSS
Exploits1References2Affected Software1
Patchstack
Patchstack
added 2025/10/21 11:4 p.m.8 views

WordPress Simple Banner plugin <= 3.0.10 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Cody Sixteen in WordPress Plugin Simple Banner versions = 3.0.10...

4.4CVSS5.7AI score0.00177EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder