Total CVEs

139,961

Critical Severity

3,664

High Severity

13,210

Last 7 Days

1,644
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 101 - 120 of 36,366 CVEs
CVE-2025-71335 HIGH - 8.1

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the l...

Vendor: Flowise
Product: Flowise
Published: Jun 25, 2026
Source: NVD
CVE-2025-71334 CRITICAL - 9.8

Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in file handling operations. By supplying a path-traversal value (e.g., '../../../../../tmp') ...

Vendor: Flowise
Product: Flowise
Published: Jun 25, 2026
Source: NVD

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially ena...

Vendor: Flowise
Product: Flowise
Published: Jun 25, 2026
Source: NVD
CVE-2025-71328 HIGH - 8.3

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying the current password or any additional verification, as the application does not enforce a current-pas...

Vendor: Flowise
Product: Flowise
Published: Jun 25, 2026
Source: NVD
CVE-2025-71327 CRITICAL - 9.1

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API acces...

Vendor: Flowise
Product: Flowise
Published: Jun 25, 2026
Source: NVD
CVE-2025-71324 HIGH - 7.5

Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is not validated and is passed to streamStorageFile(), where a fallback file-lookup path constructed witho...

Vendor: Flowise
Product: Flowise
Published: Jun 25, 2026
Source: NVD
CVE-2021-47987 HIGH - 7.5

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a...

Vendor: parse-community
Product: parse-server
Published: Jun 25, 2026
Source: NVD
CVE-2021-47986 HIGH - 7.5

Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially...

Vendor: parse-community
Product: parse-server
Published: Jun 25, 2026
Source: NVD
CVE-2020-37256 MEDIUM - 5.4

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access.

Vendor: Grav
Product: Grav
Published: Jun 25, 2026
Source: NVD
CVE-2026-55166 CRITICAL - 9.9

Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise

Vendor: pip
Product: lemur
Published: Jun 25, 2026
Source: GitHub
CVE-2026-55165 MEDIUM - 4.8

Lemur: JWT verifier honors attacker-supplied alg, enabling ATO

Vendor: pip
Product: lemur
Published: Jun 25, 2026
Source: GitHub
CVE-2026-55164 MEDIUM - 4.9

Lemur user-update path stores plaintext passwords

Vendor: pip
Product: lemur
Published: Jun 25, 2026
Source: GitHub
CVE-2026-55163 MEDIUM - 6.3

Lemur Privilege Escalation: Non-admin role members can rewrite role membership via PUT /api/1/roles/<id>

Vendor: pip
Product: lemur
Published: Jun 25, 2026
Source: GitHub
CVE-2026-55162 MEDIUM - 6.3

Lemur: Crafted CRL/OCSP URLs in uploaded certificates lead to post-authentication SSRF

Vendor: pip
Product: lemur
Published: Jun 25, 2026
Source: GitHub
CVE-2026-48722 MEDIUM - 5.5

nextflow auth login command has incorrect default permissions

Vendor: maven
Product: io.nextflow:nextflow
Published: Jun 25, 2026
Source: GitHub
CVE-2026-48702 HIGH - 7.5

Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic

Vendor: go
Product: github.com/sigstore/rekor
Published: Jun 25, 2026
Source: GitHub
CVE-2026-48529 MEDIUM - 6.0

GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion

Vendor: go
Product: github.com/github/github-mcp-server
Published: Jun 25, 2026
Source: GitHub

X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN violates an issuing CA's DNS name constraints could be accepted.

Published: Jun 25, 2026
Source: NVD

The PKCS#7 decode path ignores the caller-supplied output buffer size (outputSz), allowing decoded content to be written past the bounds of the provided buffer. This affects wolfSSL 5.9.0 and earlier and was fixed in the 5.9.1 release.

Published: Jun 25, 2026
Source: NVD

A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to an integer truncation when computing the length of the ACK record-number list, causing an undersized buffer to be allocated and then overrun. This aff...

Published: Jun 25, 2026
Source: NVD