3780 matches found
CVE-2026-30823 Flowise: IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13...
Flowise 安全漏洞
Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Versions of Flowise prior to 3.0.13 contained security vulnerabilities, which were caused by insecure direct object references. These vulnerabilities could lead to account takeover and bypassing...
GHSA-CWC3-P92J-G7QM Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
Summary The Flowise platform has a critical Insecure Direct Object Reference IDOR vulnerability combined with a Business Logic Flaw in the PUT /api/v1/loginmethod endpoint. While the endpoint requires authentication, it fails to validate if the authenticated user has ownership or administrative...
CVE-2026-28135
Inclusion of Functionality from Untrusted Control Sphere vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Royal Elementor Addons: from n/a through = 1.7.1052...
CVE-2025-55289
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS Verison 1.11.32 allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an authenticated user includin...
PT-2026-23789
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13 Description Flowise is a drag & drop user interface to build customized large language model flows. A critical Insecure Direct Object Reference IDOR vulnerability, combined with a Business Logic Flaw, exists in...
CVE-2026-28104
Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Site Suggest: from n/a through = 1.3.9...
[SECURITY] Fedora 42 Update: yt-dlp-2026.02.21-1.fc42
yt-dlp is a command-line program to download videos from many different online video platforms, such as youtube.com. The project is a fork of youtube-dl with additional features and fixes...
CVE-2026-22886
OpenMQ exposes a TCP-based management service imqbrokerd that by default requires authentication. However, the product ships with a default administrative account admin/ admin and does not enforce a mandatory password change on first use. After the first successful login, the server continues to...
[SECURITY] Fedora 42 Update: python-apt-3.1.0-1.fc42
python-apt is a wrapper to use features of APT from Python...
[SECURITY] Fedora 43 Update: python-apt-3.1.0-1.fc43
python-apt is a wrapper to use features of APT from Python...
Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005525)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005525 advisory. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcievent: Fix handling of HCIEVIOCAPAREQUEST If we received HCIEVIOCAPAREQUEST while...
Malicious code in myproject-bola (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 f85bf2df7a8a311b7140ca4086746ecf3c26b219843b96c1f9f8c22f505e7edc Starting the module initiates an infostealer with a Telegram bot and RAT-like functionality and hardcoded credentials. The code automatically adds itself to...
MAL-2026-1090 Malicious code in isb (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 93750cbddba7897fde1d31836971e11082ad2076012c7caf708980de45827840 Starting the module initiates an infostealer with a Telegram bot and RAT-like functionality and hardcoded credentials. The code automatically adds itself to...
CVE-2026-28408
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionartipodocsatendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like...
Exploring Robust Intrusion Detection: A Benchmark Study of Feature Transferability in IoT Botnet Attack Detection
Cross-domain intrusion detection remains a critical challenge due to significant variability in network traffic characteristics and feature distributions across environments. This study evaluates the transferability of three widely used flow-based feature sets Argus, Zeek and CICFlowMeter across...
CVE-2026-1694
PcVue v12.0.0–v16.3.3 web services (WebVue, WebScheduler, TouchVue, SnapVue) are affected by default HTTP header configuration that reveals server details. The root cause is that IIS/ASP.NET adds headers which are not removed during deployment. This exposes sensitive server configuration informat...
CVE-2026-27973 Audiobookshelf has Stored XSS in ItemSearchCard.vue via Audiobook Metadata (Search Results on Mobile App)
Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting XSS vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library...
[SECURITY] Fedora 43 Update: yt-dlp-2026.02.21-1.fc43
yt-dlp is a command-line program to download videos from many different online video platforms, such as youtube.com. The project is a fork of youtube-dl with additional features and fixes...
CVE-2026-27468
Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content...