CVE-2026-41268

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution RCE vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined wi...

Flowise 访问控制错误漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior to Flowise 3.1.0, there was an access control vulnerability. This vulnerability stemmed from a batch assignment vulnerability in the DocumentStore creation endpoints, allowing authenticated...

Flowise 代码问题漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior to Flowise 3.1.0, there were code-related vulnerabilities. These vulnerabilities stemmed from the Chatflow configuration file upload settings, which could be modified to allow...

CVE-2026-40933

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerabilit...

Distribution 安全漏洞

Distribution is an open-source toolset developed by Distribution, used for packaging, transporting, storing, and delivering content. Versions of Distribution prior to 3.1.0 contained security vulnerabilities. These vulnerabilities stemmed from unvalidated domain URLs under the pull cache mode,...

PT-2026-30630

Distribution versions prior to 3.1.0 are affected by an issue where the software incorrectly handles token authentication endpoints. Specifically, when operating in pull-through cache mode, the software parses WWW-Authenticate challenges from the upstream registry without validating the realm URL...

CVE-2026-27793 Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the GET /api/v1/user/:id endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of...

PT-2026-22380

Name of the Vulnerable Software and Affected Versions Seerr versions 2.0.0 through 3.0.9 Description Seerr is a media request and discovery manager for Jellyfin, Plex, and Emby. A flaw in the authentication guard logic within the /api/v1/auth/jellyfin API endpoint allows an unauthenticated attack...

CVE-2026-25899

CVE-2026-25899 affects GoFiber (Fiber) v3 branch prior to 3.1.0. The issue arises from the use of the fiber_flash cookie, which can trigger unbounded memory allocation (up to ~85 GB) via unvalidated MsgPack deserialization. A crafted 10-character cookie causes the allocation, with no authenticati...

Fiber 安全漏洞

Fiber is an open-source web framework written in Go. Versions of Fiber prior to 2.52.12 and 3.1.0 contain security vulnerabilities. These vulnerabilities stem from lack of validation during route registration and unbounded array writes during request matching, which may lead to application crashe...

MODX Revolution 安全漏洞

MODX Revolution is an open source PHP-based content management system CMS from MODX USA. The system supports online collaboration, search engine optimization SEO and more. A security vulnerability exists in MODX Revolution versions prior to 3.1.0, which originates from the fact that an...

Apache DolphinScheduler Security Vulnerability

Apache Dolphinscheduler is a modern data scheduling platform from the Apache USA Foundation. A security vulnerability exists in Apache DolphinScheduler versions prior to 3.1.0, which stems from the ability of a logged-in user to unauthorizedly delete a resource center via a UDF function...

PT-2023-21723 · Discourse · Discourse

Name of the Vulnerable Software and Affected Versions: Discourse versions prior to 3.0.3 Discourse versions prior to 3.1.0.beta4 Description: Discourse is an open source platform for community discussion. A maliciously crafted request from a Discourse administrator can lead to a long-running...

Passport-SAML 资源管理错误漏洞

Passport-SAML is the SAML 2.0 authentication provider for Passport, the Node.js authentication library. Passport-SAML suffers from a Resource Management Error vulnerability that stems from a conversion that, prior to version 3.1.0, could consume a significant amount of system resources to process...

PT-2020-6072 · Npm · Serialize-Javascript

Name of the Vulnerable Software and Affected Versions: serialize-javascript versions prior to 3.1.0 Description: The issue is related to errors in code generation management in the deleteFunctions function of the serialize-javascript library. Exploitation of this issue may allow a remote attacker...

QEMU Media Transport Protocol Directory Traversal Vulnerability

QEMU aka Quick Emulator is a suite of simulation processor software. The software is fast and cross-platform. A security vulnerability exists in the media transfer protocol in versions of QEMU prior to 3.1.0, which stems from the program's failure to properly filter usernames. An attacker could...

radare2 opmov function denial of service vulnerability

radare2 is a set of libraries and tools for working with binary files. A security vulnerability exists in the opmov function in the libr/asm/p/asmx86nz.c file in radare2 versions prior to 3.1.0. An attacker can exploit this vulnerability to cause a denial of service buffer out-of-bounds read...