PYSEC-2026-81

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the downloadprofilepicture function of the /profilepictures/foldername/filename endpoint, the foldername and filename parameters are not strictly filtered, which allows the secretkey to be re...

CVE-2026-25548

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution RCE vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion LFI and Log Poisoning attack. An authenticated administrator can execute...

CVE-2026-24744

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the...

PT-2026-20545

Name of the Vulnerable Software and Affected Versions InvoicePlane version 1.7.0 Description InvoicePlane is a self-hosted open source application used for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS issue exists in the upload Login Logo function. The application...

PT-2025-48124

Name of the Vulnerable Software and Affected Versions FACTION versions prior to 1.7.1 Description FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, a flaw in the extension framework allows untrusted extension code to execute arbitrary system commands o...