Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20714
Total
1493
Critical
6288
High
6559
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-10098 | UNKNOWN | — | OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_status allows a same-issuer SingleResponse whose serial is a prefix of the target serial to be reported as the revocation … | Jun 25, 2026 |
| CVE-2025-71340 | HIGH | 8.1 | picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode in __reduce__ methods. Attackers can embed undetected code in pickle files that executes … | Jun 25, 2026 |
| CVE-2025-71338 | CRITICAL | 10.0 | Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized … | Jun 25, 2026 |
| CVE-2025-71336 | CRITICAL | 9.8 | Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute … | Jun 25, 2026 |
| CVE-2025-71335 | HIGH | 8.1 | Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who … | Jun 25, 2026 |
| CVE-2025-71334 | CRITICAL | 9.8 | Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are … | Jun 25, 2026 |
| CVE-2025-71333 | UNKNOWN | — | Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal … | Jun 25, 2026 |
| CVE-2025-71328 | HIGH | 8.3 | Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings (Security) section without supplying … | Jun 25, 2026 |
| CVE-2025-71327 | CRITICAL | 9.1 | Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint … | Jun 25, 2026 |
| CVE-2025-71324 | HIGH | 7.5 | Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is not validated … | Jun 25, 2026 |
| CVE-2021-47987 | HIGH | 7.5 | Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an … | Jun 25, 2026 |
| CVE-2021-47986 | HIGH | 7.5 | Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal … | Jun 25, 2026 |
| CVE-2020-37256 | MEDIUM | 5.4 | Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject … | Jun 25, 2026 |
| CVE-2026-6731 | UNKNOWN | — | X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN violates an issuing CA's DNS … | Jun 25, 2026 |
| CVE-2026-6681 | UNKNOWN | — | The PKCS#7 decode path ignores the caller-supplied output buffer size (outputSz), allowing decoded content to be written past the bounds of the provided buffer. This … | Jun 25, 2026 |
| CVE-2026-6679 | UNKNOWN | — | A heap buffer overflow could occur in the DTLS 1.3 ACK serialization path before the connecting peer is authenticated. The buffer overflow was due to … | Jun 25, 2026 |
| CVE-2026-6678 | UNKNOWN | — | Integer underflow in wc_PKCS7_DecryptOri when handling crafted Other Recipient Info, leading to incorrect length handling during decryption. | Jun 25, 2026 |
| CVE-2026-6450 | UNKNOWN | — | A CRL critical extension bypass exists in ParseCRL_Extensions where critical extensions are not properly enforced, allowing a crafted CRL with an unhandled critical extension to … | Jun 25, 2026 |
| CVE-2026-6412 | UNKNOWN | — | Certificate policy and RFC 8446 compliance concerns regarding the continued acceptance of SHA-1/MD5 in certificate processing. | Jun 25, 2026 |
| CVE-2026-56445 | CRITICAL | 9.1 | The qrscp application's C-STORE handler uses a specific instance from attacker-supplied DICOM datasets directly in os.path.join() without sanitization, allowing file writes to arbitrary paths. | Jun 25, 2026 |
| CVE-2026-38640 | HIGH | 7.5 | A reachable unwrap in the __assert_fail function (/assert/mod.rs) of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted string. | Jun 25, 2026 |
| CVE-2026-38637 | HIGH | 7.5 | An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input. | Jun 25, 2026 |
| CVE-2026-37452 | HIGH | 7.5 | Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component | Jun 25, 2026 |
| CVE-2026-12473 | HIGH | 8.2 | Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically … | Jun 25, 2026 |
| CVE-2026-7531 | CRITICAL | 9.8 | Use-after-free in PQC hybrid key-share handling. This is an incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a malicious TLS 1.3 server sending a truncated PQC … | Jun 25, 2026 |