Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

21246
Total
1526
Critical
6466
High
6753
Medium
CVE ID Severity Score Description Published
CVE-2026-56319 MEDIUM 4.3 Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through … Jun 20, 2026
CVE-2026-56317 UNKNOWN Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without … Jun 20, 2026
CVE-2026-56307 MEDIUM 4.3 Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops … Jun 20, 2026
CVE-2026-56304 MEDIUM 6.5 picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this … Jun 20, 2026
CVE-2026-56295 MEDIUM 6.3 Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission … Jun 20, 2026
CVE-2026-56294 MEDIUM 4.8 capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic … Jun 20, 2026
CVE-2026-56282 MEDIUM 5.3 Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /replication endpoint that exposes internal PostgreSQL replication telemetry including slot names and WAL LSN … Jun 20, 2026
CVE-2026-56276 UNKNOWN Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. … Jun 20, 2026
CVE-2026-56267 UNKNOWN Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker … Jun 20, 2026
CVE-2026-56235 MEDIUM 5.3 Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without … Jun 20, 2026
CVE-2026-56228 MEDIUM 4.9 Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can … Jun 20, 2026
CVE-2026-56227 MEDIUM 5.4 Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing … Jun 20, 2026
CVE-2026-56218 MEDIUM 5.3 Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract … Jun 20, 2026
CVE-2025-71331 MEDIUM 6.1 Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject … Jun 20, 2026
CVE-2024-58351 CRITICAL 9.8 Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and … Jun 20, 2026
CVE-2026-12673 UNKNOWN Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability resulting in privilege escalation from an Admin in a secondary domain to a … Jun 20, 2026
CVE-2022-50972 CRITICAL 9.8 WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers … Jun 20, 2026
CVE-2020-37255 HIGH 7.5 WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with … Jun 20, 2026
CVE-2019-25763 CRITICAL 9.8 WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login … Jun 20, 2026
CVE-2026-48939 UNKNOWN A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload … Jun 20, 2026
CVE-2026-48909 UNKNOWN SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server. Jun 20, 2026
CVE-2026-48908 UNKNOWN A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and … Jun 20, 2026
CVE-2026-12119 MEDIUM 6.5 The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in … Jun 20, 2026
CVE-2026-11912 HIGH 7.5 The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, … Jun 20, 2026
CVE-2026-11911 HIGH 7.5 The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all … Jun 20, 2026