Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-42236 | UNKNOWN | — | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and … | May 04, 2026 |
| CVE-2026-42235 | UNKNOWN | — | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client … | May 04, 2026 |
| CVE-2026-42234 | UNKNOWN | — | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows … | May 04, 2026 |
| CVE-2026-42233 | UNKNOWN | — | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed … | May 04, 2026 |
| CVE-2026-42232 | UNKNOWN | — | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows … | May 04, 2026 |
| CVE-2026-42231 | UNKNOWN | — | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML … | May 04, 2026 |
| CVE-2026-42230 | UNKNOWN | — | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing … | May 04, 2026 |
| CVE-2026-42229 | UNKNOWN | — | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations … | May 04, 2026 |
| CVE-2026-42228 | UNKNOWN | — | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /chat WebSocket endpoint used by the Chat Trigger node's … | May 04, 2026 |
| CVE-2026-42227 | UNKNOWN | — | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to … | May 04, 2026 |
| CVE-2026-42226 | UNKNOWN | — | n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was … | May 04, 2026 |
| CVE-2026-42154 | HIGH | 7.5 | Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the … | May 04, 2026 |
| CVE-2026-42151 | HIGH | 7.5 | Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write … | May 04, 2026 |
| CVE-2026-41686 | UNKNOWN | — | Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool … | May 04, 2026 |
| CVE-2026-38751 | HIGH | 7.2 | OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php) | May 04, 2026 |
| CVE-2026-25863 | HIGH | 7.5 | Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method … | May 04, 2026 |
| CVE-2026-43616 | HIGH | 7.1 | Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with … | May 04, 2026 |
| CVE-2026-42796 | CRITICAL | 9.8 | Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to … | May 04, 2026 |
| CVE-2026-42146 | MEDIUM | 5.5 | CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly … | May 04, 2026 |
| CVE-2026-42144 | MEDIUM | 6.1 | CImg Library is a C++ library for image processing. Prior to commit 4ca26bc, there is an integer overflow vulnerability in the W*H*D size computation inside … | May 04, 2026 |
| CVE-2026-42140 | MEDIUM | 4.4 | PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request … | May 04, 2026 |
| CVE-2026-42138 | UNKNOWN | — | Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file … | May 04, 2026 |
| CVE-2026-42092 | MEDIUM | 6.5 | titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. … | May 04, 2026 |
| CVE-2026-42091 | MEDIUM | 6.5 | goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to … | May 04, 2026 |
| CVE-2026-42088 | CRITICAL | 9.6 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script … | May 04, 2026 |