Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21003
Total
1519
Critical
6392
High
6662
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-57281 | HIGH | 7.5 | Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy … | Jun 24, 2026 |
| CVE-2026-57280 | HIGH | 8.8 | Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy … | Jun 24, 2026 |
| CVE-2026-42450 | UNKNOWN | — | OpenColorIO is a color management framework for visual effects and animation. Prior to version 2.5.2, `FileFormatSpi3D.cpp:163` uses `sscanf` with `%s` into 64-byte stack buffers when … | Jun 24, 2026 |
| CVE-2026-35025 | HIGH | 8.1 | ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with … | Jun 24, 2026 |
| CVE-2026-29034 | UNKNOWN | — | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | Jun 24, 2026 |
| CVE-2026-12537 | UNKNOWN | — | Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior … | Jun 24, 2026 |
| CVE-2026-56761 | MEDIUM | 4.3 | hono before 4.12.14 contains an html injection vulnerability in jsx server-side rendering that allows attackers to inject unintended html by using malformed attribute names. Attackers … | Jun 24, 2026 |
| CVE-2026-56370 | LOW | 3.3 | ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage() when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed … | Jun 24, 2026 |
| CVE-2026-56368 | LOW | 3.7 | ImageMagick before 7.1.2-15 contains a memory leak vulnerability in multiple coders that write raw pixel data where allocated objects are not properly freed. Attackers can … | Jun 24, 2026 |
| CVE-2026-56358 | MEDIUM | 5.4 | n8n before 1.123.25 (1.x) and before 2.11.2 (2.x), with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger … | Jun 24, 2026 |
| CVE-2026-56351 | HIGH | 8.2 | n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to inject arbitrary SQL through … | Jun 24, 2026 |
| CVE-2026-56338 | MEDIUM | 5.3 | Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents email verification for two-factor authentication due to captcha validation failures. … | Jun 24, 2026 |
| CVE-2026-56337 | MEDIUM | 5.3 | Capgo before 12.128.2 contains an information disclosure vulnerability in the public.exist_app_v2 RPC function that allows unauthenticated attackers to enumerate app_ids by calling POST /rest/v1/rpc/exist_app_v2 with … | Jun 24, 2026 |
| CVE-2026-56310 | MEDIUM | 4.3 | Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with org-limited … | Jun 24, 2026 |
| CVE-2026-56302 | MEDIUM | 6.5 | Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. … | Jun 24, 2026 |
| CVE-2026-56272 | MEDIUM | 4.1 | Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can … | Jun 24, 2026 |
| CVE-2026-56270 | HIGH | 7.5 | Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete … | Jun 24, 2026 |
| CVE-2026-56269 | MEDIUM | 4.6 | Flowise before 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when … | Jun 24, 2026 |
| CVE-2026-56262 | MEDIUM | 6.5 | Crawl4AI before 0.8.7 contains an authentication bypass vulnerability in the monitor router endpoints that allows unauthenticated attackers to access destructive operations. Remote attackers can invoke … | Jun 24, 2026 |
| CVE-2026-56257 | HIGH | 7.1 | Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving … | Jun 24, 2026 |
| CVE-2026-56256 | HIGH | 7.1 | Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization (ORG) management API endpoints (e.g., editing organization details, inviting users) do … | Jun 24, 2026 |
| CVE-2026-56245 | HIGH | 8.2 | Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. … | Jun 24, 2026 |
| CVE-2026-56244 | HIGH | 7.1 | Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. … | Jun 24, 2026 |
| CVE-2026-56237 | CRITICAL | 9.1 | Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails … | Jun 24, 2026 |
| CVE-2026-56232 | HIGH | 8.8 | Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions … | Jun 24, 2026 |