EUVD-2026-38590

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector.renameProperties allows a property with @JsonProperty"renamed" on the getter and @JsonIgnore on the setter to be renamed...

EUVD-2026-38387

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for...

EUVD-2025-210259

Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme = 3.1.3 versions...

PT-2026-50041

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite Oracle Cost Management versions 12.2.3 through 12.2.15 Description An issue exists in the Cost Planning component of the Oracle Cost Management product. A high privileged attacker with network access via HTTP can exploi...

CVE-2026-36228

Buffer Overflow vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the chat message functionality...

CVE-2025-36145

IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions...

CVE-2026-9157 Remote Code Execution in Gmission Web FAX

Improper input validation, Unrestricted upload of file with dangerous type vulnerability in Gmission Web Fax allows Remote Code Inclusion. This issue affects Web Fax: from 3.0 before 3.1...

NPM: FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover

NPM: FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

NPM: FlowiseAI: Vector Store No Permission Checks

NPM: FlowiseAI: Vector Store No Permission Checks vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment

NPM: FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

CVE-2026-41901 Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous...

CVE-2026-43995

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axios instead of using the secured wrapper. These tools include 1 OpenAPIToolkit/OpenAPIToolkit.ts, 2...

EUVD-2026-27313

Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key...

CVE-2018-25312

CVE-2018-25312 affects LifeSize ClearSea 3.1.4. The vulnerability is a directory traversal in the smartgui interface that, when combined with uploading and manipulating path parameters, allows an authenticated attacker with network access to write files to arbitrary locations and potentially achi...

EUVD-2026-25297

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...

CVE-2026-41138

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input is directly applied to the question parameter within...

Arbitrary File Upload

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary File Upload in the createAttachment in Chatflow. An attacker can upload and persistently store malicious JavaScript files on the server by bypassing MIME type validation, which may...

PT-2026-39183

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0 Description Multiple tool implementations bypass the centralized HTTP security wrapper httpSecurity.ts, which is designed to provide Server-Side Request Forgery SSRF protections through deny-list validation, IP...

PT-2026-33255

In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint...

CVE-2025-51414

In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page...