Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-41264 — Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from…

| Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
0.0 NA
CVE-2026-41265 — Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results…

| Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
0.0 NA
CVE-2026-41279 — Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API cred…

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (…

| Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
0.0 NA
CVE-2026-41278 — Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API ke…

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitiz…

| Information Disclosure
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
0.0 NA
CVE-2026-41276 — Flowise: AccountService resetPassword Authentication Bypass Vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations …

| Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
0.0 NA
CVE-2026-41277 — Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object…

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated us…

| Authorization
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
9.3 CRITICAL
CVE-2026-25874 — LeRobot Unsafe Deserialization Remote Code Execution via gRPC

LeRobot contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in th…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
0.0 NA
CVE-2026-41275 — Flowise: Password Reset Link Sent Over Unsecured HTTP

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the u…

| Cryptography
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
0.0 NA
CVE-2026-41273 — Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacke…

| Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
0.0 NA
CVE-2026-41271 — Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain co…

| Server-Side Request Forgery
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
9.3 CRITICAL
CVE-2026-6074 — Path traversal: '.../...//' in Intrado 911 Emergency Gateway (EGW)

A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful …

Remote | Path Traversal
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.2 HIGH
CVE-2026-41259 — Mastodon: Insufficient verification of email addresses

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and perfo…

Remote | Misconfiguration
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.9 HIGH
CVE-2026-41247 — elFinder: Command injection in resize background color parameter when using ImageMagick C…

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background …

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.1 HIGH
CVE-2026-41246 — Contour: Lua code injection via Cookie Path Rewrite Policy

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.7 HIGH
CVE-2026-41241 — pretalx: Stored cross-site scripting in organiser search typeahead

pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown…

Remote | Cross-Site Scripting
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
5.9 MEDIUM
CVE-2026-41213 — @node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows …

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKC…

Remote | Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.7 HIGH
CVE-2026-41205 — Mako: Path traversal via double-slash URI prefix in TemplateLookup

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is…

Remote | Path Traversal
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
5.9 MEDIUM
CVE-2026-41173 — Unbounded HTTP response body read in OpenTelemetry.Sampler.AWS

The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies fr…

Remote | Denial of Service
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
5.9 MEDIUM
CVE-2026-41078 — OpenTelemetry dotnet: Potential memory exhaustion via unbounded pooled-list sizing in Jae…

OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on …

Remote | Memory Corruption
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
5.3 MEDIUM
CVE-2026-40894 — OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation …

OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, …

Remote | Denial of Service
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Showing 20 of 6342 Results