Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.7 HIGH
CVE-2026-56268 — Flowise - Cross-Workspace Information Disclosure via chatflows/apikey Endpoint

Flowise before 3.1.2 contains an information disclosure vulnerability in the /api/v1/chatflows/apikey/:apikey endpoint. When the keyonly query parameter is omitted (the default), the endpoint returns…

flowise | Remote | Information Disclosure
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
9.2 CRITICAL
CVE-2026-56266 — Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints

Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenti…

crawl4ai | Remote | Server-Side Request Forgery
Jun 22, 2026 Jun 30, 2026
Jun 22, 2026
Jun 30, 2026
5.3 MEDIUM
CVE-2026-56255 — Capgo - Denial of Service via Unlimited Demo App Creation

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications withou…

Remote | Denial of Service
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.1 HIGH
CVE-2026-56221 — Cap-go - SQL Injection in Cloudflare Analytics Engine Queries via cloudflare.ts

Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without s…

Remote | Injection
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.6 HIGH
CVE-2026-55409 — Filament: Disabled RichEditor field state can be used for XSS

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the d…

filament | Remote | Cross-Site Scripting
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.5 MEDIUM
CVE-2026-54911 — UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When…

ultrajson | Remote | Misconfiguration
Jun 22, 2026 Jun 26, 2026
Jun 22, 2026
Jun 26, 2026
8.7 HIGH
CVE-2026-54281 — Nest: Middleware Bypass on Fastify via Trailing Slash

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered …

nest | Remote | Authentication
Jun 22, 2026 Jun 24, 2026
Jun 22, 2026
Jun 24, 2026
7.5 HIGH
CVE-2026-48517 — MessagePack-CSharp: Typeless deserialization type restrictions do not recurse into arrays…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's typeless deserialization includes MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisall…

messagepack | Remote | Misconfiguration
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48516 — MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settin…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the d…

messagepack | Remote | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48515 — MessagePack-CSharp: Multi-dimensional array formatters allocate from unchecked dimensions

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocat…

messagepack | Remote | Memory Corruption
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48514 — MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase<T>.Deserialize reads an attacker-controlled byteLength from an extension payload and allocat…

messagepack | Remote | Memory Corruption
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48513 — MessagePack-CSharp: DynamicUnionResolver generated deserializers miss depth enforcement

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref …

messagepack | Remote | Information Disclosure
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48512 — MessagePack-CSharp: JSON conversion APIs can recurse without consistent depth enforcement

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a dep…

messagepack | Remote | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48511 — MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untru…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add…

messagepack | Remote | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48510 — MessagePack-CSharp: LZ4 decompression allocates from unbounded declared output lengths

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from…

messagepack | Remote | Denial of Service
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
9.1 CRITICAL
CVE-2026-48509 — MessagePack-CSharp: ASP.NET Core MessagePackInputFormatter defaults to TrustedData for HT…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessageP…

messagepack | Remote | Misconfiguration
Jun 22, 2026 Jun 25, 2026
Jun 22, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-48506 — MessagePack-CSharp: MessagePackReader.Skip can recurse without enforcing maximum object g…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth o…

messagepack | Remote | Denial of Service
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
7.4 HIGH
CVE-2026-48505 — Filament: Multi-factor authentication (app) recovery codes can still be used multiple tim…

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentic…

filament | Remote | Authentication
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
8.2 HIGH
CVE-2026-48502 — MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the proc…

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension len…

messagepack | Remote | Denial of Service
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
6.5 MEDIUM
CVE-2026-48500 — Filament: Unauthenticated temporary file upload on auth pages

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies…

filament | Remote | Misconfiguration
Jun 22, 2026 Jun 23, 2026
Jun 22, 2026
Jun 23, 2026
Showing 20 of 7989 Results