24 matches found
CVE-2026-56274
Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions f...
CVE-2026-56274
Flowise
GHSA-CVRR-QHGW-2MM6 Flowise: Parameter Override Bypass Remote Command Execution
Summary Flowise is vulnerable to a critical unauthenticated remote command execution RCE vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODEOPTIONS environment variable injection. This allows for the execution of arbitrary syste...
VulnCheck KEV: CVE-2025-59528
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided...
EUVD-2022-6640
Malicious code in bioql PyPI...
ClickHouse < 19.14.3
The version of ClickHouse installed on the remote host is prior to 19.14.3. It is, therefore, affected by a arbitrary file write vulnerability. In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the...
CVE-2024-12047
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘customserver’ parameter in all versions up to, and including, 6.30.03 due to insufficient input sanitization and output escaping. This makes it possible for...
WordPress plugin WP Compress 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripti...
PT-2025-1737 · WordPress · Wp Compress
Name of the Vulnerable Software and Affected Versions: WP Compress – Instant Performance & Speed Optimization plugin for WordPress versions up to, and including, 6.30.03 Description: The issue is related to Reflected Cross-Site Scripting via the custom server parameter due to insufficient input...
CVE-2022-36046
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict unhandledRejection exiting AND using next start or a custom server...
Code injection
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict unhandledRejection exiting AND using next start or a custom server...
CVE-2022-36046 Unexpected server crash in Next.js version 12.2.3
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict unhandledRejection exiting AND using next start or a custom server...
CVE-2022-36046
CVE-2022-36046 (Next.js) affects Next.js 12.2.3 when run on Node.js > v15 with strict unhandledRejection and using next start or a custom server; deployments on Vercel are not affected. The issue causes a denial of service via unhandledRejection handling in the server, leading to a crash under...
CVE-2022-36046 Unexpected server crash in Next.js version 12.2.3
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict unhandledRejection exiting AND using next start or a custom server...
GHSA-WFF4-FPWG-QQV3 Unexpected server crash in Next.js
Impact When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling. - Affected: All of the following must be true to be affected by this CVE - Node.j...
PT-2022-23140 · Next.Js +1 · Next.Js +1
Name of the Vulnerable Software and Affected Versions: Next.js version 12.2.3 Description: The issue affects Next.js when used with Node.js version above v15.0.0 and strict unhandledRejection exiting, and when using next start or a custom server. Specific requests to the Next.js server can cause ...
Denial of Service Vulnerability in next.js
Impact Vulnerable code could allow a bad actor to trigger a denial of service attack for anyone running a Next.js app at version = 12.0.0, and using i18n functionality. - Affected: All of the following must be true to be affected by this CVE - Next.js versions above v12.0.0 - Using next start or ...
Code injection
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-...
CVE-2022-21721 DOS Vulnerability in next.js
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-...
CVE-2022-21721 DOS Vulnerability in next.js
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-...