Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.5 HIGH
CVE-2026-41275 — Flowise: Password Reset Link Sent Over Unsecured HTTP

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the u…

Remote | Cryptography
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.7 HIGH
CVE-2026-41273 — Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacke…

Remote | Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.1 HIGH
CVE-2026-41272 — Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Sid…

Remote | Server-Side Request Forgery
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.1 HIGH
CVE-2026-41271 — Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain co…

Remote | Server-Side Request Forgery
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.1 HIGH
CVE-2026-41270 — Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function …

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Func…

Remote | Server-Side Request Forgery
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.1 HIGH
CVE-2026-41269 — Flowise: File Upload Validation Bypass in createAttachment

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javas…

Remote | Misconfiguration
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.7 HIGH
CVE-2026-41268 — Flowise: Flowise Parameter Override Bypass Remote Command Execution

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerabili…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.1 HIGH
CVE-2026-41267 — Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organizati…

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoin…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.7 HIGH
CVE-2026-41266 — Flowise: Sensitive Data Leak in public-chatbotConfig

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorizat…

Remote | Information Disclosure
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
9.2 CRITICAL
CVE-2026-41265 — Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
9.2 CRITICAL
CVE-2026-41264 — Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.3 HIGH
CVE-2026-41138 — Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input …

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input ver…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
9.4 CRITICAL
CVE-2026-41137 — Flowise: Code Injection in CSVAgent leads to Authenticated RCE

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an a…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
9.3 CRITICAL
CVE-2026-25874 — LeRobot Unsafe Deserialization Remote Code Execution via gRPC

LeRobot contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in th…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
9.3 CRITICAL
CVE-2026-6074 — Path traversal: '.../...//' in Intrado 911 Emergency Gateway (EGW)

A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful …

Remote | Path Traversal
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.2 HIGH
CVE-2026-41259 — Mastodon: Insufficient verification of email addresses

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and perfo…

Remote | Misconfiguration
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.9 HIGH
CVE-2026-41247 — elFinder: Command injection in resize background color parameter when using ImageMagick C…

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background …

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.1 HIGH
CVE-2026-41246 — Contour: Lua code injection via Cookie Path Rewrite Policy

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.7 HIGH
CVE-2026-41241 — pretalx: Stored cross-site scripting in organiser search typeahead

pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown…

Remote | Cross-Site Scripting
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
5.9 MEDIUM
CVE-2026-41213 — @node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows …

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKC…

Remote | Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Showing 20 of 6337 Results