Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

58905 matches found

Cvelist
Cvelistadded 2026/04/23 7:15 p.m.31 views

CVE-2026-41270 Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery SSRF protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTPDENYLIST for axios and...

7.1CVSS0.00234EPSS
Exploits1References1
ATTACKERKB
ATTACKERKBadded 2026/04/23 7:14 p.m.1 views

CVE-2026-41269

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally...

7.1CVSS5.9AI score0.00472EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichmentadded 2026/04/23 7:14 p.m.4 views

CVE-2026-41269 Flowise: File Upload Validation Bypass in createAttachment

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally...

7.1CVSS5.6AI score0.00472EPSS
Exploits1References1
EUVD
EUVDadded 2026/04/23 7:14 p.m.3 views

EUVD-2026-25286

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally...

7.1CVSS5.9AI score0.00472EPSS
Exploits1References1
CVE
CVEadded 2026/04/23 7:14 p.m.6 views

CVE-2026-41269

Flowise vulnerability CVE-2026-41269 concerns the Flowise drag-and-drop LLM flow UI. Before version 3.1.0, Chatflow configuration file upload settings permitted the application/javascript MIME type, allowing attackers to upload .js files even if the frontend blocks JavaScript uploads. This could ...

8.8CVSS5.9AI score0.00472EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/04/23 6:30 p.m.4 views

CVE-2026-41241

pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields which includes an...

8.7CVSS5.8AI score0.00163EPSS
Exploits0References2Affected Software1
Snyk
Snykadded 2026/04/23 3:7 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the AdvancedSearch module. An attacker can execute arbitrary JavaScript code in the context of a user's browser by submitting specially crafted input. Details Cross-site scripting or XSS is a code...

6.1CVSS5.5AI score0.00188EPSS
Exploits1References2
OSV
OSVadded 2026/04/23 2:47 p.m.1 views

OPENSUSE-SU-2026:20621-1 Security update for MozillaFirefox

This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.10.0 ESR. - MFSA 2026-32 bsc1262230: CVE-2026-6746: Use-after-free in the DOM: Core & HTML component CVE-2026-6747: Use-after-free in the WebRTC component CVE-2026-6748: Uninitialized memory ...

9.8CVSS5.3AI score0.04938EPSS
Exploits1References26
EUVD
EUVDadded 2026/04/23 9:32 a.m.4 views

EUVD-2026-25197

The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptchajs function. This allows administrators on multisite installations who do not have the unfilteredhtml capability to injec...

3.5CVSS5.9AI score0.00185EPSS
Exploits0References2
NVD
NVDadded 2026/04/23 7:16 a.m.6 views

CVE-2026-4512

The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptchajs function. This allows administrators on multisite installations who do not have the unfilteredhtml capability to injec...

3.5CVSS0.00185EPSS
Exploits0References1
EUVD
EUVDadded 2026/04/23 6:30 a.m.2 views

EUVD-2026-25170

Successful exploitation of the stored cross-site scripting XSS vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS’ courselet feature...

5.4CVSS5.9AI score0.00173EPSS
Exploits0References2
Vulnrichment
Vulnrichmentadded 2026/04/23 6:0 a.m.3 views

CVE-2026-4512 WP reCaptcha by WebDesignBy < 2.0 – Admin+ Stored XSS

The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptchajs function. This allows administrators on multisite installations who do not have the unfilteredhtml capability to injec...

5.9AI score0.00185EPSS
Exploits0References1
CVE
CVEadded 2026/04/23 6:0 a.m.12 views

CVE-2026-4512

The CVE-2026-4512 entry concerns the WordPress plugin “reCaptcha by WebDesignBy” (before version 2.0). The root cause is the plugin’s Site Key setting not being sanitized/escaped before being output in a JavaScript string context via grecaptcha_js(), enabling stored XSS on multisite installations...

3.5CVSS5.9AI score0.00185EPSS
Exploits0References1
CVE
CVEadded 2026/04/23 2:54 a.m.21 views

CVE-2026-3007

CVE-2026-3007 is a stored XSS in Koollab LMS, affecting the courselet feature. Exploitation could run arbitrary JS in accounts with access to the courselet, with a CVSS 3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The vulnerability requires user interaction and has low confidentia...

5.4CVSS5.9AI score0.00173EPSS
Exploits0References1
ATTACKERKB
ATTACKERKBadded 2026/04/23 2:54 a.m.5 views

CVE-2026-3007

Successful exploitation of the stored cross-site scripting XSS vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS’ courselet feature...

5.4CVSS5.9AI score0.00173EPSS
Exploits0References2
NVD
NVDadded 2026/04/23 2:16 a.m.2 views

CVE-2026-41200

STIG Manager is an API and web client for managing Security Technical Implementation Guides STIG assessments of Information Systems. Versions 1.5.10 through 1.6.7 have a reflected Cross-Site Scripting XSS vulnerability in the OIDC authentication error handling code in src/init.js and...

8.5CVSS0.00332EPSS
Exploits1References1
NVD
NVDadded 2026/04/23 2:16 a.m.1 views

CVE-2026-41182

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls hideOutputs in JS, hideoutputs in Python do not apply to streaming token events. When ...

5.3CVSS0.00214EPSS
Exploits0References1
EUVD
EUVDadded 2026/04/23 12:53 a.m.2 views

EUVD-2026-25166

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration...

10CVSS6.5AI score0.01106EPSS
Exploits4References1
Cvelist
Cvelistadded 2026/04/23 12:14 a.m.29 views

CVE-2026-41182 LangSmith SDK: Streaming token events bypass output redaction

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls hideOutputs in JS, hideoutputs in Python do not apply to streaming token events. When ...

5.3CVSS0.00214EPSS
Exploits0References1
EUVD
EUVDadded 2026/04/23 12:14 a.m.0 views

EUVD-2026-25152

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls hideOutputs in JS, hideoutputs in Python do not apply to streaming token events. When ...

5.3CVSS5.8AI score0.00214EPSS
Exploits0References1
Rows per page
Query Builder