Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.1 HIGH
CVE-2025-71340 — picklescan - Remote Code Execution via idlelib.pyshell.ModifiedInterpreter.runcode

picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode in __reduce__ methods. Attackers can embed undetected code in pickle files tha…

picklescan | Remote | Supply Chain
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
10.0 CRITICAL
CVE-2025-71338 — Flowise - Arbitrary File Write to Remote Code Execution via document-store API

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can e…

flowise | Remote | Path Traversal
Jun 25, 2026 Jul 01, 2026
Jun 25, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2025-71336 — Flowise - Unsandboxed Remote Code Execution via Custom MCP

Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such…

flowise | Remote | Authentication
Jun 25, 2026 Jul 01, 2026
Jun 25, 2026
Jul 01, 2026
8.6 HIGH
CVE-2025-71335 — Flowise - Session Invalidation Failure After Password Change

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active sessi…

flowise | Remote | Authentication
Jun 25, 2026 Jul 01, 2026
Jun 25, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2025-71334 — Flowise - Arbitrary File Access via Missing Chat Flow ID Validation

Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in …

flowise | Remote | Path Traversal
Jun 25, 2026 Jul 01, 2026
Jun 25, 2026
Jul 01, 2026
9.8 CRITICAL
CVE-2025-71333 — Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the…

flowise | Remote | Path Traversal
Jun 25, 2026 Jul 01, 2026
Jun 25, 2026
Jul 01, 2026
8.8 HIGH
CVE-2025-71328 — Flowise - Unverified Password Change via Account Settings

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying t…

flowise | Remote | Authentication
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
9.3 CRITICAL
CVE-2025-71327 — Flowise - Authentication Bypass via Unprotected Registration Endpoint

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploi…

flowise | Remote | Authentication
Jun 25, 2026 Jun 29, 2026
Jun 25, 2026
Jun 29, 2026
8.7 HIGH
CVE-2025-71324 — Flowise - Arbitrary File Read via chatId Parameter

Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is no…

flowise | Remote | Path Traversal
Jun 25, 2026 Jun 30, 2026
Jun 25, 2026
Jun 30, 2026
7.7 HIGH
CVE-2021-47987 — Parse Server - Arbitrary Code Execution via Malicious Version Tags

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with…

parse-server | Remote | Supply Chain
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.7 HIGH
CVE-2021-47986 — Parse Server - Unreviewed Code Execution via Malicious Version Tags

Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this…

parse-server | Remote | Supply Chain
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
5.4 MEDIUM
CVE-2020-37256 — Grav - Cross-Site Scripting in Admin Plugin Page Editor

Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious s…

grav grav-plugin-admin | Remote | Cross-Site Scripting
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
7.5 HIGH
CVE-2026-6731 — X.509 name constraint bypass via Subject CN treated as a DNS name

X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN violates an issuing CA's DNS name constraints could be accepted.

wolfssl | Remote | Misconfiguration
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-6681 — PKCS#7 decode ignores caller output buffer size, writing past buffer bounds

The PKCS#7 decode path ignores the caller-supplied output buffer size (outputSz), allowing decoded content to be written past the bounds of the provided buffer. This affects wolfSSL 5.9.0 and earlier…

wolfssl | Remote | Memory Corruption
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
8.8 HIGH
CVE-2026-6679 — DTLS 1.3 ACK serialization heap buffer overflow via integer truncation

A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to an integer truncation when computing the length o…

wolfssl | Remote | Memory Corruption
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
5.3 MEDIUM
CVE-2026-6678 — Integer underflow in wc_PKCS7_DecryptOri handling crafted Other Recipient Info

Integer underflow in wc_PKCS7_DecryptOri when handling crafted Other Recipient Info, leading to incorrect length handling during decryption.

wolfssl | Remote | Memory Corruption
Jun 25, 2026 Jul 01, 2026
Jun 25, 2026
Jul 01, 2026
5.3 MEDIUM
CVE-2026-6450 — CRL critical extension bypass in ParseCRL_Extensions

A CRL critical extension bypass exists in ParseCRL_Extensions where critical extensions are not properly enforced, allowing a crafted CRL with an unhandled critical extension to be accepted. This onl…

wolfssl | Remote | Misconfiguration
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
4.3 MEDIUM
CVE-2026-6412 — Continued acceptance of SHA-1/MD5 digests in certificate processing

Certificate policy and RFC 8446 compliance concerns regarding the continued acceptance of SHA-1/MD5 in certificate processing.

wolfssl | Remote | Cryptography
Jun 25, 2026 Jun 27, 2026
Jun 25, 2026
Jun 27, 2026
9.1 CRITICAL
CVE-2026-56445 — pydicom pynetdicom Library Path Traversal

The qrscp application's C-STORE handler uses a specific instance from attacker-supplied DICOM datasets directly in os.path.join() without sanitization, allowing file writes to arbitrary paths.

Remote | Path Traversal
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
7.5 HIGH
CVE-2026-38640 — Relibc: Reachable Unwrap Leading to Denial of Service

A reachable unwrap in the __assert_fail function (/assert/mod.rs) of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted string.

Remote | Denial of Service
Jun 25, 2026 Jun 26, 2026
Jun 25, 2026
Jun 26, 2026
Showing 20 of 8012 Results