Total CVEs

145,923

Critical Severity

4,293

High Severity

15,785

Last 7 Days

2,200
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 16,501 - 16,520 of 42,328 CVEs
CVE-2026-46478 HIGH - 8.8

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover. This issue has been patched in version 3.1.2.

Vendor: npm
Product: flowise
Published: May 14, 2026
Source: GitHub
CVE-2026-46477 HIGH - 8.8

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update mass-assignment allows cross-workspace dataset takeover. This issue has been patched in version 3.1.2.

Vendor: npm
Product: flowise
Published: May 14, 2026
Source: GitHub
CVE-2026-46476 HIGH - 8.8

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2.

Vendor: npm
Product: flowise
Published: May 14, 2026
Source: GitHub
CVE-2026-46475 HIGH - 8.8

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2.

Vendor: npm
Product: flowise
Published: May 14, 2026
Source: GitHub
CVE-2026-46444 HIGH - 8.8

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in WHITELIST_URLS. However, it...

Vendor: npm
Product: flowise
Published: May 14, 2026
Source: GitHub
CVE-2026-45076 MEDIUM - 2.7

Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerabilit...

Vendor: pip
Product: matrix-synapse
Published: May 14, 2026
Source: GitHub
CVE-2026-45078 HIGH - 5.5

Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.

Vendor: pip
Product: matrix-synapse
Published: May 14, 2026
Source: GitHub
CVE-2026-45732 HIGH - 8.1

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an ...

Vendor: npm
Product: n8n
Published: May 14, 2026
Source: GitHub
CVE-2026-44792 HIGH - 9.0

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator perfor...

Vendor: npm
Product: n8n
Published: May 14, 2026
Source: GitHub
CVE-2026-44791 CRITICAL - 9.9

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch for CVE-2026-42232 in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. This vulne...

Vendor: npm
Product: n8n
Published: May 14, 2026
Source: GitHub
CVE-2026-44790 CRITICAL - 8.8

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to read arbitrary files from the n8n server potentially lea...

Vendor: npm
Product: n8n
Published: May 14, 2026
Source: GitHub
CVE-2026-44789 CRITICAL - 9.9

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques thi...

Vendor: npm
Product: n8n
Published: May 14, 2026
Source: GitHub
CVE-2026-44722 MEDIUM - 6.2

pyzipper is a replacement for Python's zipfile that can read and write AES encrypted zip files. Prior to 0.4.0, a Python operator precedence bug in pyzipper/zipfile_aes.py caused the AE-2 format to never be automatically selected during encryption, causing encrypted entries to be written in AE-...

Vendor: pip
Product: pyzipper
Published: May 14, 2026
Source: GitHub
CVE-2026-43978 HIGH - 8.1

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-priv...

Vendor: pip
Product: wger
Published: May 14, 2026
Source: GitHub
CVE-2026-44501 MEDIUM - 4.3

DataHub is an open-source metadata platform. Prior to 1.5.0.3, The DataHub frontend (datahub-frontend-react) deserializes attacker-controlled Java objects from the REDIRECT_URL HTTP cookie during the OIDC callback flow, with no integrity protection (no HMAC, no encryption). This is a Deserialization...

Vendor: datahub-project
Product: datahub
Published: May 14, 2026
Source: NVD
CVE-2026-43977 HIGH - 7.5

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The vulnerability ex...

Vendor: pip
Product: wger
Published: May 14, 2026
Source: GitHub
CVE-2026-42159 MEDIUM - 5.4

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of...

Vendor: reconurge
Product: flowsint
Published: May 14, 2026
Source: NVD
CVE-2026-42853 MEDIUM - 6.5

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without...

Vendor: npm
Product: @apostrophecms/cli
Published: May 14, 2026
Source: GitHub
CVE-2026-44482 CRITICAL - 9.6

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the...

Vendor: richardhbtz
Product: soundcloud-rpc
Published: May 14, 2026
Source: NVD

Open OnDemand is an open-source high-performance computing portal. Prior to 4.0.11, 4.1.5, and 4.2.2, specially crafted filenames can execute javascript in the file browser This vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2.

Vendor: OSC
Product: ondemand
Published: May 14, 2026
Source: NVD