Lucene search
K

29 matches found

NVD
NVD
added 3 days ago9 views

CVE-2026-59792

In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible...

9.8CVSS0.00424EPSS
Exploits0References1
CVE
CVE
added 3 days ago24 views

CVE-2026-59792

CVE-2026-59792 affects JetBrains IntelliJ IDEA prior to 2026.1.4, with a path-traversal weakness in project workspace ID handling that could enable code execution. The connected sources corroborate a 2026.2-era code execution claim tied to this path traversal issue. The available documents do not...

9.8CVSS6.4AI score0.00424EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-57183

Name of the Vulnerable Software and Affected Versions JetBrains IntelliJ IDEA versions prior to 2026.1.4 JetBrains IntelliJ IDEA versions prior to 2026.2 Description Improper handling of the project workspace ID allows for a relative path traversal, which can be leveraged to achieve remote code...

9.8CVSS6.5AI score0.00424EPSS
Exploits0References5
CVE
CVE
added 2026/06/26 8:41 p.m.31 views

CVE-2026-50137

Budibase prior to 3.39.0 is affected by CVE-2026-50137: unauthenticated POST /api/attachments/:datasourceId/url allows anonymous callers to mint 15-minute AWS S3 pre-signed PUT URLs using the datasource’s IAM credentials, with the bucket not pinned to the datasource. The attack discloses the targ...

9.4CVSS5.8AI score0.00415EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/06/15 8:56 p.m.14 views

GHSA-RQ7W-G337-39QQ Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json`

Summary When running nuxt dev, Nuxt registers an unauthenticated route at /.well-known/appspecific/com.chrome.devtools.json that returns the absolute filesystem path of the project root and a per-project UUID persisted to nodemodules/.cache/nuxt/chrome-workspace.json. The route is enabled by...

2.3CVSS5.5AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/15 8:56 p.m.24 views

Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json`

Summary When running nuxt dev, Nuxt registers an unauthenticated route at /.well-known/appspecific/com.chrome.devtools.json that returns the absolute filesystem path of the project root and a per-project UUID persisted to nodemodules/.cache/nuxt/chrome-workspace.json. The route is enabled by...

5.5AI score
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/09 8:59 p.m.10 views

CVE-2026-42861

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId,...

9.6CVSS5.5AI score0.00254EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/08 3:30 p.m.7 views

CVE-2026-46441

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId...

7.6CVSS5.5AI score0.00274EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/05/22 6:43 p.m.11 views

EUVD-2026-31485

TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint POST /v1/workspaces/workspaceId/whatsapp/credentialsId/webhook does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both...

6.5CVSS5.8AI score0.0014EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/22 6:43 p.m.8 views

CVE-2026-39969

TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint POST /v1/workspaces/workspaceId/whatsapp/credentialsId/webhook does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both...

6.5CVSS5.8AI score0.0014EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/05/22 6:26 p.m.17 views

CVE-2026-39968 TypeBot: Cross-Workspace Credential Theft via Bot-Engine Preview Endpoint

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 "Credential Theft via Client-Side Script Execution and API Authorization Bypass" is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the...

7.1CVSS0.00271EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/14 4:19 p.m.17 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over resources belonging to other...

7.7CVSS5.8AI score0.00335EPSS
Exploits0References2
OSV
OSV
added 2026/05/14 4:19 p.m.6 views

GHSA-WXRR-JP8M-QQ7F FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover

Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Evaluator entity - cross-workspace data takeover and IDOR. File: packages/server/src/Interface.Evaluation.ts Root cause: The Evaluator controller/service constructs a n...

8.8CVSS5.9AI score0.00335EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/05/14 4:19 p.m.15 views

FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover

Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Evaluation entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/evaluations/index.ts Root cause: The Evaluation controller/service...

8.8CVSS6AI score0.00335EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/14 4:19 p.m.13 views

FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover

Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the DatasetRow entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/dataset/index.ts Root cause: The DatasetRow controller/service constructs...

8.8CVSS6AI score0.00342EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/05/14 2:57 p.m.6 views

GHSA-HP26-Q66V-Q2W7 FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary A Mass Assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation...

7.6CVSS5.9AI score0.00274EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/14 2:57 p.m.16 views

FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary A Mass Assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation...

9.6CVSS5.9AI score0.00274EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/05/14 2:54 p.m.8 views

GHSA-5WXP-QJGQ-FX6M FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment

Summary A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side...

7.6CVSS5.7AI score0.00268EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/14 2:54 p.m.44 views

FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment

Summary A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side...

8.1CVSS5.7AI score0.00268EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/05/14 2:52 p.m.7 views

GHSA-X5V6-PJ28-CWWM FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment

Summary A Mass Assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and...

7.6CVSS5.9AI score0.00195EPSS
Exploits1References4
Rows per page
Query Builder