13 matches found
Permissive Cross-domain Policy with Untrusted Domains
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains through the generateTextToSpeech handler in the text-to-speech endpoint. An attacker can make a victim’s browser send authenticated requests from any...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over assistants across different workspac...
Insufficiently Protected Credentials
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Insufficiently Protected Credentials with the credentialName filter parameter, over the credentials API endpoint. An attacker can access encryptedData, containing encrypted credential data such as API keys,...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the PUT /api/v1/assistants/assistantId endpoint, when the server fails to validate and restrict modifications to...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the /api/v1/tools endpoint when the server fails to validate and restrict client-supplied fields in the request body. An...
EUVD-2026-27248
fast-uri vulnerable to host confusion via percent-encoded authority delimiters...
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
Impact fast-uri v3.1.1 and earlier decodes percent-encoded authority delimiters %40 as @, %3A as : inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host. For example,...
GHSA-V39H-62P7-JPJC fast-uri vulnerable to host confusion via percent-encoded authority delimiters
Impact fast-uri v3.1.1 and earlier decodes percent-encoded authority delimiters %40 as @, %3A as : inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host. For example,...
CVE-2026-6322 fast-uri vulnerable to host confusion via percent-encoded authority delimiters
fast-uri normalize decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator...
CVE-2026-39386
Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance member management, room settings, broadcast control, session...
CVE-2025-59162 [email protected] contains malware after npm account takeover
color-convert provides plain color conversion functions in JavaScript. On 8 September 2025, the npm publishing account for color-convert was taken over after a phishing attack. Version 3.1.1 was published, functionally identical to the previous patch version, but with a malware payload added...
PT-2025-31001 · Yanyutao0402 · Chancms
Name of the Vulnerable Software and Affected Versions: yanyutao0402 ChanCMS versions through 3.1.2 Description: A critical vulnerability exists in yanyutao0402 ChanCMS. The vulnerability affects an unknown functionality of the file /collect/getArticle. Manipulation of the taskUrl argument leads t...
PT-2023-12412 · Webpa · Webpa
Name of the Vulnerable Software and Affected Versions: WebPA versions up to 3.1.1 Description: A critical issue affects some unknown processing, leading to sql injection. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world...