EUVD-2026-25291

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle...

CVE-2026-42333

creationtimestamp| type| source ---|---|--- 2026-04-23 19:24:06+00:00| published-proof-of-concept| https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v 2026-05-09 21:27:51+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mlh6rs2p632e...

EUVD-2026-25226

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...

EUVD-2026-25235

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting XSS attacks...

CVE-2026-41043

creationtimestamp| type| source ---|---|--- 2026-04-23 18:25:08+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mk6n4dcaab2j...

CVE-2026-40466

creationtimestamp| type| source ---|---|--- 2026-04-23 18:20:07+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mk6mte66qo2s 2026-04-24 22:01:19+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mkbjnso4nx2n 2026-05-04 14:45:01+00:00| confirmed|...

CVE-2026-41893

creationtimestamp| type| source ---|---|--- 2026-04-23 17:45:50+00:00| published-proof-of-concept| https://github.com/SignalK/signalk-server/security/advisories/GHSA-vmfm-ch9h-5c7g 2026-05-09 21:17:00+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mlh66esqzt2e 2026-05-10...

CVE-2026-5039

TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized...

CVE-2026-5039

CVE-2026-5039 affects TP-Link TL-WR841N v13. The issue stems from using DES-CBC encryption in the TDDPv2 debug protocol, with a cryptographic key derived from the device’s default web management credentials. This makes the key predictable when the device remains in its default configuration. A ne...

CVE-2026-41461

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...

CVE-2026-40472

The CVE-2026-40472 affects the Hackage Haskell server (hackage-server). It enables stored XSS by injecting user-controlled metadata from .cabal files that is rendered into HTML href attributes without proper sanitization. The underlying issue is unsanitized rendering of certain metadata fields (e...

CVE-2026-35331

creationtimestamp| type| source ---|---|--- 2026-04-23 14:15:24+00:00| seen| https://bsky.app/profile/o2cloud.bsky.social/post/3mk675r76zg27...

CVE-2026-35332

creationtimestamp| type| source ---|---|--- 2026-04-23 14:15:24+00:00| seen| https://bsky.app/profile/o2cloud.bsky.social/post/3mk675r76zg27...

CVE-2026-35329

creationtimestamp| type| source ---|---|--- 2026-04-23 14:15:24+00:00| seen| https://bsky.app/profile/o2cloud.bsky.social/post/3mk675r76zg27...

CVE-2026-35330

creationtimestamp| type| source ---|---|--- 2026-04-23 14:15:24+00:00| seen| https://bsky.app/profile/o2cloud.bsky.social/post/3mk675r76zg27 2026-05-14 11:00:13+00:00| published-proof-of-concept| Telegram/KyHCshI6yZBJj8Foftsx5hfP7GLhbMmJ81CYC3g7d-oupU 2026-06-19 17:19:01+00:00| seen|...

CVE-2026-31532

creationtimestamp| type| source ---|---|--- 2026-04-23 13:55:36+00:00| seen| https://infosec.exchange/users/vuldb/statuses/116454361395635388 2026-04-23 20:03:06+00:00| seen| https://infosec.exchange/users/vuldb/statuses/116455806440539618 2026-05-07 14:35:12+00:00| seen|...

CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...

CVE-2026-41461

CVE-2026-41461 affects SocialEngine ≤ 7.8.0. A blind SSRF exists in the /core/link/preview endpoint where input passed through the uri parameter is not sanitized when constructing outbound HTTP requests. Authenticated remote attackers can supply arbitrary URLs, including internal or loopback addr...

CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...

CVE-2026-41461

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...