CVE-2026-56341

AVideo prior to 26.1 (through version 26.0) exposes unauthenticated access to payment data via multiple list.json.php endpoints in payment plugins, lacking authorization checks. The issue enables retrieval of PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records, including agreem...

CVE-2025-71379

Vulnerability summary: vLLM versions 0.6.3–0.8.x (i.e.,

CVE-2026-5366

CVE-2026-5366 affects Prefect v3.6.23, where the vulnerability resides in the GitRepository storage class. The commit_sha parameter passed to git commands lacks validation and does not use a -- separator, enabling an attacker to inject git flags (e.g., --upload-pack) and potentially execute arbit...

CVE-2026-56332

Capgo

CVE-2026-56319

CVE-2026-56319 affects Capgo prior to 12.128.2. The issue is an information disclosure in GET /statistics/app/:app_id that lets app-limited API keys distinguish existing sibling app IDs by observing differential error responses (500 PGRST116 for inaccessible apps vs 401 for nonexistent apps), bre...

CVE-2026-56330

Capgo prior to 12.128.2 has an open redirect in the stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for phishing and cre...

CVE-2026-56307

Cap-go before 12.128.12 has a broken cursor pagination vulnerability in the /private/devices endpoint of the Cloudflare/workerd path. Authenticated attackers with app.read_devices can exploit non-advancing cursor filters to trigger infinite pagination loops, causing duplicate pages and making lat...

CVE-2026-56304

CVE-2026-56304 affects picklescan versions before 1.0.1. The flaw is an unsafe pickle deserialization through the logging.FileHandler class, allowing unauthenticated attackers to craft malicious pickle payloads to create arbitrary zero-byte files. This can bypass RCE blocklists and lead to filesy...

CVE-2026-56295

Capgo is affected pre-12.128.2 by an authorization bypass in webhook management endpoints. The issue allows legacy non-expiring API keys to bypass the require_apikey_expiration policy because checkWebhookPermission does not call apikeyHasOrgRightWithPolicy, enabling those keys to list, create, an...

CVE-2026-56294

The CVE-2026-56294 vulnerability affects capacitor-native-biometric (before 12.128.2). The onAuthenticationSucceeded() path fails to validate CryptoObject parameters, enabling an attacker to bypass biometric authentication by hooking the function via dynamic instrumentation. This can allow access...

CVE-2026-56276

Flowise (Flowise) before 3.1.2 has a mass-assignment vulnerability in PUT /api/v1/user that lets an authenticated user modify the credential field without validation. The attacker can bypass password-change verification and session invalidation by supplying a crafted password hash, enabling persi...

CVE-2026-56282

Capgo before 12.128.2 has an information-disclosure vulnerability in the unauthenticated /replication endpoint that exposes internal PostgreSQL replication telemetry (e.g., replication slot names, confirmed_flush_lsn, restart_lsn) and database error messages. Access to this endpoint does not requ...

CVE-2026-56267

Flowise prior to version 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint. The endpoint returns full user objects including PII to unauthenticated attackers, enabling enumeration of valid email addresses and harvesting of sensitive data su...

CVE-2026-56235

Cap-go capgo prior to 12.128.2 exposes an authorization bypass in multiple Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) granted to anon without org membership or permission checks. An unauthenticated attacker with only the public Supabase API key (sb_p...

CVE-2026-56228

Capgo before 12.128.2 is vulnerable to improper password policy length validation. An authenticated organization administrator can set an extremely large minimum password length value, causing all users to fail password changes and effectively lock out the organization, resulting in an applicatio...

CVE-2026-56227

Capgo before 12.128.2 is affected by a server-side request forgery (SSRF) in webhook URL validation. The flaw permits configuring webhooks to loopback or internal addresses (e.g., localhost/127.0.0.1). When triggered, the backend makes outbound requests to those addresses, and error responses are...

CVE-2026-56218

Capgo prior to 12.128.2 does not strip EXIF metadata (including GPS coordinates) from uploaded images, enabling disclosure of users’ precise location. Attackers can download images and extract coordinates at capture time. Remediation: upgrade Capgo to version 12.128.2 or later.

CVE-2025-71331

Flowise (pre-3.0.8) exposes a Cross-Site Scripting (XSS) vulnerability due to insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript via an iframe payload in chat or have a custom agent function return an external XSS payload. The inj...

CVE-2026-56325

Capgo CVE-2026-56325 affects Capgo versions prior to 12.128.2. The preview subdomain resolver uses ILIKE (case-insensitive) matching for app_id lookups instead of exact matching, allowing underscore characters to act as wildcards. This can cause unintended pattern matches, potentially breaking pr...

CVE-2026-56317

Nuxt is affected by CVE-2026-56317: a cross-site scripting flaw in the NoScript component present in Nuxt < 4.4.7 (and 3.x

CVE-2024-58351

CVE-2024-58351 affects Flowise

CVE-2022-50972

Summary: CVE-2022-50972 affects WooCommerce 7.1.0 and describes a remote code execution vulnerability. The issue arises from unsanitized values passed to the product-type parameter in the class-wc-meta-box-product-images.php endpoint, allowing an attacker to write arbitrary PHP files to the web r...

CVE-2020-37255

CVE-2020-37255 affects WordPress Time Capsule Plugin version 1.21.16. The vulnerability is an authentication bypass that lets unauthenticated attackers craft a POST request containing the IWP_JSON_PREFIX header to obtain a valid administrator session cookie and gain access to the WordPress dashbo...

CVE-2019-25763

WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability. An attacker can submit a POST to admin-ajax.php with the uabb-lf-google-submit action, a valid administrator email, and a valid nonce to obtain session cookies and authenticate as that user. CVSS...

CVE-2026-12673

Summary: Liquidfiles before 4.2.12 has a broken access control vulnerability that allows privilege escalation from an Admin in a secondary domain to a Sysadmin by modifying a group in the managed secondary (non-default) group. Affected product/version: Liquidfiles

CVE-2026-48908

SP Page Builder for Joomla (joomshaper.com) is affected by CVE-2026-48908. Versions prior to 6.6.12 allow unauthenticated users to upload arbitrary files, enabling PHP code upload and execution. This vulnerability can impact confidentiality, integrity, and availability of the affected site. The C...

CVE-2026-48939

The CVE-2026-48939 entry concerns the iCagenda extension for Joomla. The vulnerability is in the file attachment feature, permitting arbitrary file uploads that can lead to PHP code execution. This is described across multiple sources (NVD and CVE listings) as a remote code execution risk affecti...

CVE-2026-48909

The CVE concerns SP LMS (com_splms) for Joomla, specifically versions earlier than 4.1.4. The root cause is deserializing user-controlled cookie data without validation, which allows an unauthenticated remote attacker to execute arbitrary code on the server. No exploitation details or fixes are e...

CVE-2026-12119

The CVE concerns the Simple File List WordPress plugin (≤6.3.7). A missing authorization check on the frontmanage shortcode attribute allows authenticated users with contributor-level access or higher to perform arbitrary file operations (delete, move, folder creation, download). The vulnerabilit...

CVE-2026-11911

The CVE-2026-11911 issue affects the WordPress plugin Simple File List (up to version 6.3.7). The root cause is insufficient file path validation in eeSFL_DeleteFile, enabling unauthenticated deletion of arbitrary server files. The vulnerability is exploitable via unauthenticated requests, as the...

CVE-2026-11912

The CVE-2026-11912 entry documents a vulnerability in the WordPress Simple File List plugin (≤ 6.3.7) where insufficient authorization allows arbitrary file modification. The issue affects all versions up to 6.3.7 and enables unauthenticated attackers to delete/modify files on the server. The roo...

CVE-2026-55059

Technical details are not publicly available in the provided documents for CVE-2026-55059. Monitor for updates.

CVE-2026-54920

Technical details for CVE-2026-54920 are not publicly available in the provided documents. The entry appears reserved with no exposed impact, affected products, or remediation information. Monitor for updates as new details emerge.

CVE-2026-53532

Technical details for CVE-2026-53532 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-55371

Technical details for CVE-2026-55371 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-55373

Technical details are not publicly available in the provided documents. No affected products, impact, or remediation are described. Monitor for updates.

CVE-2026-9843

The CVE-2026-9843 entry covers the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin. Affected versions up to and including 1.5.1 are vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function. Exploitation requires an administrat...

CVE-2026-9265

Crypt::OpenSSL::PKCS12 for Perl prior to 1.96 is affected by a heap OOB read in print_attribute: the function copies a UTF8STRING ASN.1 attribute value into a heap buffer sized to the declared length using strncpy, but does not append a NUL terminator. Downstream, strlen() is used and the inflate...

CVE-2026-56215

Capgo before 12.128.12 is vulnerable: authenticated users can modify their public.users.email, which the SSO provisioning endpoint trusts as an account-merge key, enabling an attacker to merge a victim’s SSO identity into their own account. Affected component: provisioning/SSO merge logic manipul...

CVE-2026-56216

Capgo before 12.128.2 is vulnerable to a scope escalation in POST /functions/v1/apikey where app-limited API keys can mint unrestricted keys by sending empty limits. An compromised app-limited key can create an org-wide, unrestricted key accessing resources such as app listings and protected endp...

CVE-2026-56214

Capgo up to version 12.128.1 is affected by an information disclosure in Supabase PostgREST RPC endpoints is_trial_org and is_paying_org, allowing unauthenticated attackers to enumerate organizations and reveal billing status using the public sb_publishable key. Impact is high for confidentiality...

CVE-2026-56213

Capgo exploitable before version 12.128.2 via an authorization bypass in the public.upsert_version_meta SECURITY DEFINER function exposed through PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into version_meta for any app_id. This leads to poisoned storage metrics, pe...

CVE-2026-56212

Capgo has a authentication logic flaw where a user who can manage team/organization security settings can enable mandatory 2FA for all members without validating their own 2FA status. This may lead to inconsistent security enforcement, administrative misuse, and potential lockout risk for team me...

CVE-2026-37149

CVE-2026-37149 corresponds to PT-2026-51178 and relates to a SQL Injection vulnerability in GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0. The connected document explicitly identifies a SQL Injection issue affecting this system; however, the available materials do not provid...

CVE-2026-42495

Technical details for CVE-2026-42495 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-52798

PT-2026-51130 documents CVE-2026-52798 as a Low-severity issue in Gogs: Stored XSS via an outdated notebookjs library. The root cause is the use of an outdated notebookjs dependency within Gogs, enabling stored cross-site scripting. The connected document does not provide affected versions, explo...

CVE-2026-11551

CVE-2026-11551 affects the Branda – White Label & Branding, Free Login Page Customizer WordPress plugin (

CVE-2026-55866

Technical details for CVE-2026-55866 are not publicly available in the provided documents; no affected product/version or impact is disclosed. Monitor for updates.

CVE-2026-55776

Technical details for CVE-2026-55776 are not publicly available in the provided documents. Monitor for updates as more information may be released.

CVE-2026-55775

Technical details for CVE-2026-55775 are not publicly available in the provided documents. Monitor for updates; no product, impact, or remediation information is included.