Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.1 CRITICAL
CVE-2026-48746 — vLLM: OpenAI auth bypass

vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentica…

vllm vllm | Remote | Authentication
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
6.5 MEDIUM
CVE-2026-47155 — vLLM: Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights…

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment…

vllm vllm | Remote | Supply Chain
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
7.5 HIGH
CVE-2026-41523 — vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Ar…

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to …

vllm vllm | Remote | Authentication
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
6.1 MEDIUM
CVE-2026-56698 — Nuxt - Cross-Site Scripting via navigateTo open Option

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs…

nuxt og_image | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
6.1 MEDIUM
CVE-2026-56697 — Nuxt - Open Redirect via Protocol-Relative Paths in reloadNuxtApp

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-ori…

nuxt og_image | Remote | Server-Side Request Forgery
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-56357 — n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Tr…

n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook UR…

n8n | Remote | Authentication
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
9.9 CRITICAL
CVE-2026-56348 — n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Par…

n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains re…

n8n | Remote | Server-Side Request Forgery
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
6.1 MEDIUM
CVE-2026-56326 — Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and …

nuxt og_image | Remote | Misconfiguration
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
8.8 HIGH
CVE-2026-56324 — Capgo - Rate Limit Bypass via User-Controlled device_id Parameter

Capgo before 12.128.2 contains a rate limit bypass vulnerability in the channel_self endpoint that allows attackers to circumvent rate limiting by rotating the user-controlled device_id parameter. At…

Remote | Denial of Service
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
8.7 HIGH
CVE-2026-56323 — Capgo - Unauthenticated Channel Enumeration and App Oracle via GET /channel_self

Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and deter…

Remote | Information Disclosure
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.9 MEDIUM
CVE-2026-56321 — Capgo - Missing Authentication Middleware on GET /private/role_bindings Endpoint

Capgo (backend Supabase edge functions) before 12.128.2 does not apply the global authentication middleware to the GET /private/role_bindings/:org_id endpoint, unlike the POST and DELETE role_binding…

Remote | Authentication
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.1 HIGH
CVE-2026-56314 — Capgo - Deleted Bundle Selection via Missing Deletion Filter in /updates Endpoint

Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, allowing deleted bundles to remain selectable. Attackers can continue deploying deleted b…

Remote | Authorization
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.9 MEDIUM
CVE-2026-56311 — Capgo - Unauthenticated Cross-Tenant Disclosure via get_current_plan_max_org RPC

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan …

Remote | Authorization
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.4 MEDIUM
CVE-2026-56306 — Capgo - Subkey Enforcement Bypass via x-limited-key-id Header Parsing

Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate header…

Remote | Misconfiguration
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.1 HIGH
CVE-2026-56280 — Cap-go - Privilege Inversion in Build Log Stream via SSE Disconnect

Cap-go before 12.128.2 contains a privilege inversion vulnerability in GET /build/logs/:jobId that allows read-only API key holders to cancel running native builds. The endpoint registers an abort li…

Remote | Authorization
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
7.7 HIGH
CVE-2026-56268 — Flowise - Cross-Workspace Information Disclosure via chatflows/apikey Endpoint

Flowise before 3.1.2 contains an information disclosure vulnerability in the /api/v1/chatflows/apikey/:apikey endpoint. When the keyonly query parameter is omitted (the default), the endpoint returns…

flowise | Remote | Information Disclosure
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
9.2 CRITICAL
CVE-2026-56266 — Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints

Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenti…

crawl4ai | Remote | Server-Side Request Forgery
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
5.3 MEDIUM
CVE-2026-56255 — Capgo - Denial of Service via Unlimited Demo App Creation

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications withou…

Remote | Denial of Service
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.1 HIGH
CVE-2026-56221 — Cap-go - SQL Injection in Cloudflare Analytics Engine Queries via cloudflare.ts

Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without s…

Remote | Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.6 HIGH
CVE-2026-55409 — Filament: Disabled RichEditor field state can be used for XSS

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the d…

filament | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
Showing 20 of 7941 Results