Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.1 HIGH
CVE-2026-56116 — dhcpcd Memory Leak DoS via IPv6 Router Advertisement Handling

dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to c…

dhcpcd | Denial of Service
Jun 23, 2026 Jul 01, 2026
Jun 23, 2026
Jul 01, 2026
8.8 HIGH
CVE-2026-56115 — Bootimus 0.1.70 Broken Access Control via JWTMiddleware Authorization Bypass

Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the J…

dhcpcd bootimus | Remote | Memory Corruption
Jun 23, 2026 Jun 29, 2026
Jun 23, 2026
Jun 29, 2026
6.5 MEDIUM
CVE-2026-56114 — dhcpcd Stack Out-of-Bounds Write in dhcp6_makemessage()

dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to wr…

dhcpcd | Memory Corruption
Jun 23, 2026 Jun 28, 2026
Jun 23, 2026
Jun 28, 2026
6.5 MEDIUM
CVE-2026-56113 — dhcpcd Heap Use-After-Free in dhcp6_deprecateaddrs via DHCPv6 RENEW

dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-after-free vulnerability that allows unauthenticated same-link attackers to crash the daemon by sending a crafted DHCPv6 RENEW repl…

dhcpcd | Memory Corruption
Jun 23, 2026 Jun 28, 2026
Jun 23, 2026
Jun 28, 2026
9.3 CRITICAL
CVE-2026-55450 — Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for a…

langflow | Remote | Denial of Service
Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
9.6 CRITICAL
CVE-2026-55447 — Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file …

langflow | Remote | Path Traversal
Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
7.5 HIGH
CVE-2026-55446 — Langflow: Unauthenticated DoS through multipart form boundary file upload

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse…

langflow | Remote | Denial of Service
Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
6.1 MEDIUM
CVE-2026-55423 — Langflow: Logout button does not clear session

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user expl…

langflow | Authentication
Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
9.9 CRITICAL
CVE-2026-55255 — Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attacke…

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authent…

langflow | Remote | Authorization
Jun 23, 2026 Jun 24, 2026
Jun 23, 2026
Jun 24, 2026
7.2 HIGH
CVE-2026-54308 — n8n: Missing Token Validation on Microsoft Agent 365 Trigger Node

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthentic…

n8n | Remote | Authentication
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
9.6 CRITICAL
CVE-2026-54307 — n8n: Credential Exfiltration via Permission Bypass

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via …

n8n | Remote | Authorization
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
6.4 MEDIUM
CVE-2026-54306 — n8n: Prototype Pollution enables confused-deputy execution via public webhooks

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, a prototype pollution vulnerability allowed a crafted public webhook payload to inject attacker-controlled fields into …

n8n | Remote | Injection
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
9.9 CRITICAL
CVE-2026-54305 — n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without pe…

n8n | Remote | Authorization
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
7.7 HIGH
CVE-2026-54304 — n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.1, an authenticated user with permission to create or modify workflows and access to a SecurityScorecard creden…

n8n | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
7.0 HIGH
CVE-2026-54302 — n8n: Stored XSS in Chat Trigger Node

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's ge…

n8n | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
7.0 HIGH
CVE-2026-54301 — n8n: Same-Origin XSS in Respond to Webhook Node

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could configure a Respond to Webhook node to serve binary co…

n8n | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
9.6 CRITICAL
CVE-2026-50574 — yt-dlp: Arbitrary code execution via manifest downloads with aria2c

yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, if aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insuffic…

yt-dlp | Remote | Path Traversal
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
9.6 CRITICAL
CVE-2026-50023 — yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CV…

yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .web…

yt-dlp | Remote | Path Traversal
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
7.4 HIGH
CVE-2026-50019 — yt-dlp: File Downloader cookie leak with curl

yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect…

yt-dlp | Remote | Misconfiguration
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
7.7 HIGH
CVE-2026-49465 — n8n: Git Node Clone and Push Operations Bypass File Sandbox

n8n is an open source workflow automation platform. Prior to 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows could supply a local filesystem path as …

n8n | Remote | Path Traversal
Jun 23, 2026 Jun 26, 2026
Jun 23, 2026
Jun 26, 2026
Showing 20 of 8012 Results