Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-6942 — radare2-mcp <=1.6.0 OS Command Injection via Shell Metacharacter Bypass

radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metachara…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
6.9 MEDIUM
CVE-2026-6941 — radare2 < 6.1.4 Project Notes Path Traversal via Symlink

radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malic…

| Path Traversal
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.1 HIGH
CVE-2026-6940 — radare2 < 6.1.4 Project Deletion Path Traversal Directory Deletion

radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the …

| Path Traversal
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.7 HIGH
CVE-2026-6376 — Missing authentication for critical function in SpiceJet Online Booking System

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This re…

Remote | Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.7 HIGH
CVE-2026-6375 — Authorization bypass through User-Controlled key in SpiceJet Online Booking System

A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an att…

Remote | Authorization
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.2 HIGH
CVE-2026-28525 — SWUpdate Integer Underflow in Multipart Upload Parser

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTT…

Remote | Denial of Service
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.2 HIGH
CVE-2026-41279 — Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API cred…

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (…

Remote | Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.7 HIGH
CVE-2026-41278 — Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API ke…

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitiz…

Remote | Information Disclosure
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.6 HIGH
CVE-2026-41277 — Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object…

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated us…

Remote | Authorization
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.7 HIGH
CVE-2026-41276 — Flowise: AccountService resetPassword Authentication Bypass Vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations …

Remote | Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.5 HIGH
CVE-2026-41275 — Flowise: Password Reset Link Sent Over Unsecured HTTP

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the u…

Remote | Cryptography
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.7 HIGH
CVE-2026-41273 — Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacke…

Remote | Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.1 HIGH
CVE-2026-41272 — Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Sid…

Remote | Server-Side Request Forgery
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.1 HIGH
CVE-2026-41271 — Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain co…

Remote | Server-Side Request Forgery
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.1 HIGH
CVE-2026-41270 — Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function …

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Func…

Remote | Server-Side Request Forgery
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.1 HIGH
CVE-2026-41269 — Flowise: File Upload Validation Bypass in createAttachment

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javas…

Remote | Misconfiguration
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.7 HIGH
CVE-2026-41268 — Flowise: Flowise Parameter Override Bypass Remote Command Execution

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerabili…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.1 HIGH
CVE-2026-41267 — Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organizati…

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoin…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.7 HIGH
CVE-2026-41266 — Flowise: Sensitive Data Leak in public-chatbotConfig

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorizat…

Remote | Information Disclosure
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
9.2 CRITICAL
CVE-2026-41265 — Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results…

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Showing 20 of 6327 Results