CVE-2026-50023

yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files such as .desktop, .url, .webloc to the user's filesystem, bypassing the remediation for CVE-2024-38519. The allowlist explicitl...

CVE-2026-45732

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate ...

CVE-2026-44791

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch for CVE-2026-42232 in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. This...

CVE-2026-49860 Deno: WebSocket API sandbox bypass via missing post-DNS check

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially...

CVE-2026-54257

CVE-2026-54257 affects Electron 42.3.1 through 42.3.2 where the Node.js Buffer API uses incorrect byte-length calculations, causing heap underflow/overflow. This can lead to crashes and, in some cases, incorrect buffer allocations (truncation or misallocation). The issue is fixed in Electron 42.3...

ROOT-APP-MAVEN-CVE-2025-66168 CVE-2025-66168 in io.root.org.apache.activemq:activemq-mqtt - Patched by Root

Root has patched CVE-2025-66168 in the io.root.org.apache.activemq:activemq-mqtt package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-33227 CVE-2026-33227 in io.root.org.apache.activemq:activemq-client - Patched by Root

Root has patched CVE-2026-33227 in the io.root.org.apache.activemq:activemq-client package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-34197 CVE-2026-34197 in io.root.org.apache.activemq:activemq-broker - Patched by Root

Root has patched CVE-2026-34197 in the io.root.org.apache.activemq:activemq-broker package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-39304 CVE-2026-39304 in io.root.org.apache.activemq:activemq-client - Patched by Root

Root has patched CVE-2026-39304 in the io.root.org.apache.activemq:activemq-client package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-41043 CVE-2026-41043 in io.root.org.apache.activemq:activemq-broker - Patched by Root

Root has patched CVE-2026-41043 in the io.root.org.apache.activemq:activemq-broker package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-41044 CVE-2026-41044 in io.root.org.apache.activemq:activemq-broker - Patched by Root

Root has patched CVE-2026-41044 in the io.root.org.apache.activemq:activemq-broker package for Root:Maven. Multiple fixed versions available...

CVE-2026-54013

CVE-2026-54013 describes a stored XSS in Open WebUI where the model profile image URL could be a data:image/svg+xml;base64 payload. The root cause is missing input validation on ModelMeta.profile_image_url and missing output protections in the model image endpoint (no MIME allowlist, no nosniff, ...

EUVD-2026-38517

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference IDOR vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in...

CVE-2026-55423

CVE-2026-55423 affects Langflow prior to version 1.7.0, where the /logout flow fails to clear session data. Root cause: the logout endpoint did not delete cookies with matching attributes (httponly/samesite/secure/domain), so tokens persisted in local storage and cookies even after logout. Conseq...

CVE-2026-55450 Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the...

CVE-2026-54309

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client, or any website visited by the...

EUVD-2026-38497

yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. At the file downloa...

CVE-2026-50574 yt-dlp: Arbitrary code execution via manifest downloads with aria2c

yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, if aria2c is used as an external downloader for a fragmented manifest format such as an HLS/DASH stream, yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On...

CVE-2026-44791

CVE-2026-44791 (n8n): Affected product: n8n (open source workflow automation). Background: prior to 1.123.43, 2.20.7, and 2.22.1, an authenticated user with permission to create/modify workflows could bypass the XML node patch for CVE-2026-42232, enabling global prototype pollution in the XML Nod...

CVE-2026-44791 n8n: XML Node Prototype Pollution Patch Bypass

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch for CVE-2026-42232 in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. This...