Lucene search
K

12 matches found

Spring Security Advisories
Spring Security Advisories
added 2026/06/30 12:0 a.m.14 views

This Week in Spring - June 30th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring , a weekly recap in which we review the latest and greatest in the wide and wonderful world of Spring. You probably already knew this. I don't know if I needed to mention it. But I like to. I've been doing this every week,...

5.8AI score
Exploits0
Spring Security Advisories
Spring Security Advisories
added 2026/06/23 12:0 a.m.60 views

This Week in Spring - June 23rd, 2026

Hi Spring fans! In this installment, we look at the wide and wonderful world of Spring, as usual, and there's a good amount to get to, fresh off the recent Spring Boot 4.1 generation release train, so let's dive right into it! I wrote a blog post looking at Spring Batch, MongoDB, and Spring Boot...

5.8AI score
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/04/23 7:53 p.m.8 views

CVE-2026-41279

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint POST /api/v1/text-to-speech/generate is whitelisted no auth and accepts a credentialId directly in the request body. When called without a chatflowId, th...

8.2CVSS5.8AI score0.00261EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/04/17 9:35 p.m.5 views

GHSA-5FW2-MWHH-9947 Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials

Summary The text-to-speech generation endpoint POST /api/v1/text-to-speech/generate is whitelisted no auth and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential e.g., OpenAI or...

8.2CVSS5.9AI score0.00261EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/17 9:35 p.m.15 views

Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials

Summary The text-to-speech generation endpoint POST /api/v1/text-to-speech/generate is whitelisted no auth and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential e.g., OpenAI or...

8.2CVSS5.9AI score0.00261EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/06 7:45 p.m.6 views

CVE-2026-28209

FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech TTS engine in the recordings module. This issue has been patched in versions 16.0.20...

7.5CVSS5.7AI score0.00886EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/05 6:22 p.m.3 views

CVE-2026-28209 FreePBX: Command Injection leading to Remote Code Execution in FreePBX ElevenLabs Text-to-Speech integration

FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech TTS engine in the recordings module. This issue has been patched in versions 16.0.20...

7.5CVSS5.7AI score0.00886EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/05 6:22 p.m.33 views

CVE-2026-28209 FreePBX: Command Injection leading to Remote Code Execution in FreePBX ElevenLabs Text-to-Speech integration

FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech TTS engine in the recordings module. This issue has been patched in versions 16.0.20...

7.5CVSS0.00886EPSS
Exploits0References1
CVE
CVE
added 2026/03/05 6:22 p.m.25 views

CVE-2026-28209

CVE-2026-28209 affects FreePBX where FreePBX versions 16.0.17.2–before 16.0.20 and 17.0.2.4–before 17.0.5 are vulnerable to a command injection in the recordings module when the ElevenLabs Text-to-Speech engine is used. Root cause: command injection arising in the recordings workflow. Impact is h...

7.5CVSS5.8AI score0.00886EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/03/05 6:22 p.m.6 views

CVE-2026-28209 FreePBX: Command Injection leading to Remote Code Execution in FreePBX ElevenLabs Text-to-Speech integration

FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech TTS engine in the recordings module. This issue has been patched in versions 16.0.20...

7.5CVSS5.7AI score0.00886EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/03/05 12:0 a.m.11 views

FreePBX 操作系统命令注入漏洞

FreePBX is a set of tools from the FreePBX project that allow configuration of Asterisk an IP telephony system through a GUI graphical web-based interface. Versions of FreePBX prior to 16.0.20 and 17.0.5 had an operating system command injection vulnerability. This vulnerability stemmed from the...

7.5CVSS5.8AI score0.00886EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/05 12:0 a.m.14 views

PT-2026-23489

Name of the Vulnerable Software and Affected Versions FreePBX versions 16.0.17.2 through 16.0.20 FreePBX versions 17.0.2.4 through 17.0.5 Description FreePBX, an open source IP PBX, contains a command injection issue within the recordings module when utilizing the ElevenLabs Text-to-Speech TTS...

7.5CVSS5.8AI score0.00886EPSS
Exploits0References4
Rows per page
Query Builder