CVE-2026-4503

IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key...

Arbitrary Command Injection

Overview shell-quote is a package used to quote and parse shell commands. Affected versions of this package are vulnerable to Arbitrary Command Injection via the quote function when object-token inputs containing line terminators \n, \r, U+2028, U+2029 in the .op field are not properly validated...

CVE-2026-7700

A weakness has been identified in langflow-ai langflow up to 1.8.4. This affects the function eval of the file src/lfx/src/lfx/components/llmoperations/lambdafilter.p of the component LambdaFilterComponent. Executing a manipulation can lead to code injection. The attack may be performed from...

CVE-2026-4502

IBM Langflow Desktop 1.2.0 through 1.8.4 Langflow could allow an authenticated attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences /../ to write arbitrary files on the system...

EUVD-2026-26419

IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks...

Security Bulletin: IBM Langflow Desktop Symlink Validation Bypass

Summary tar-fs is used by IBM Langflow Desktop as part of its archive extraction and file handling functionality through Node.js dependencies. A vulnerability in tar-fs affects how symbolic links are validated during extraction, allowing a crafted tarball to bypass symlink protections when the...

CVE-2026-23484 Blinko: Authenticated Arbitrary File Write - saveDevPlugin

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure normal user, not superAdminAuthMiddleware. At time o...

WordPress Easy Hotel Booking plugin <= 1.8.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Easy Hotel Booking versions = 1.8.8...

CVE-2025-62061

Cross-Site Request Forgery CSRF vulnerability in impleCode Product Catalog Simple post-type-x.This issue affects Product Catalog Simple: from n/a through = 1.8.4...

WordPress Makeaholic Theme <= 1.8.4 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Makeaholic versions = 1.8.4...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure. An attacker can view restricted information by exploiting the visibility settings of the frame publishing function. Workaround This vulnerability can be mitigated by removing the site search or hiding frames...

CVE-2024-8066

CVE-2024-8066 affects File Manager Pro – Filester plugin for WordPress (all versions up to and including 1.8.6). The vulnerability stems from missing validation in the fsConnector function, enabling authenticated users with Subscriber-level access (and with permissions granted by an Administrator...

WordPress File Manager Pro – Filester plugin <= 1.8.4 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by TANG Cheuk Hei siunam in WordPress Plugin File Manager Pro versions = 1.8.4...

WordPress Parcel Pro plugin <= 1.8.4 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by vgo0 in WordPress Plugin Parcel Pro versions = 1.8.4...

PT-2021-17178 · Argo Cd · Argo Cd

Name of the Vulnerable Software and Affected Versions: Argo CD versions prior to 1.8.4 Description: An issue in Argo CD allows accessing the "api/version" endpoint, which leaks internal system information. This endpoint is not protected with authentication. Recommendations: For versions prior to...

PT-2021-17179 · Argo Cd · Argo Cd

Name of the Vulnerable Software and Affected Versions: Argo CD versions prior to 1.8.4 Description: An issue was discovered where browser XSS protection is not activated due to the missing XSS protection header. Recommendations: For versions prior to 1.8.4, update to version 1.8.4 or later to...

PT-2019-16059 · Libsixel +1 · Libsixel +1

Name of the Vulnerable Software and Affected Versions: libsixel versions prior to 1.8.4 Description: A heap-based buffer overflow was discovered in the image buffer resize function in fromsixel.c. Recommendations: For versions prior to 1.8.4, update to version 1.8.4 or later to resolve the issue...