Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12600
Total
849
Critical
3629
High
3944
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-41268 | CRITICAL | 9.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical … | Apr 23, 2026 |
| CVE-2026-41267 | HIGH | 8.1 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) … | Apr 23, 2026 |
| CVE-2026-41266 | HIGH | 7.5 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including … | Apr 23, 2026 |
| CVE-2026-41265 | CRITICAL | 9.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the … | Apr 23, 2026 |
| CVE-2026-41264 | CRITICAL | 9.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the … | Apr 23, 2026 |
| CVE-2026-41138 | HIGH | 8.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution … | Apr 23, 2026 |
| CVE-2026-41137 | HIGH | 8.8 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom … | Apr 23, 2026 |
| CVE-2026-25874 | UNKNOWN | — | LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels … | Apr 23, 2026 |
| CVE-2026-6074 | UNKNOWN | — | A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface … | Apr 23, 2026 |
| CVE-2026-41259 | UNKNOWN | — | Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on … | Apr 23, 2026 |
| CVE-2026-41247 | UNKNOWN | — | elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the … | Apr 23, 2026 |
| CVE-2026-41246 | HIGH | 8.1 | Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua … | Apr 23, 2026 |
| CVE-2026-41241 | HIGH | 8.7 | pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails … | Apr 23, 2026 |
| CVE-2026-41213 | MEDIUM | 5.9 | @node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE … | Apr 23, 2026 |
| CVE-2026-41205 | UNKNOWN | — | Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). … | Apr 23, 2026 |
| CVE-2026-41173 | MEDIUM | 5.9 | The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response … | Apr 23, 2026 |
| CVE-2026-41078 | MEDIUM | 5.9 | OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on … | Apr 23, 2026 |
| CVE-2026-40894 | MEDIUM | 5.3 | OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and … | Apr 23, 2026 |
| CVE-2026-40886 | HIGH | 7.7 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the … | Apr 23, 2026 |
| CVE-2026-33694 | UNKNOWN | — | This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates … | Apr 23, 2026 |
| CVE-2026-31173 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the interval parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31169 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the week parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31168 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the recHour parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31167 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the mode parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |
| CVE-2026-31166 | MEDIUM | 6.5 | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi. | Apr 23, 2026 |