Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21839
Total
1559
Critical
6635
High
6967
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-56276 | UNKNOWN | — | Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. … | Jun 20, 2026 |
| CVE-2026-56267 | UNKNOWN | — | Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker … | Jun 20, 2026 |
| CVE-2026-56235 | MEDIUM | 5.3 | Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without … | Jun 20, 2026 |
| CVE-2026-56228 | MEDIUM | 4.9 | Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can … | Jun 20, 2026 |
| CVE-2026-56227 | MEDIUM | 5.4 | Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing … | Jun 20, 2026 |
| CVE-2026-56218 | MEDIUM | 5.3 | Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract … | Jun 20, 2026 |
| CVE-2025-71331 | MEDIUM | 6.1 | Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject … | Jun 20, 2026 |
| CVE-2024-58351 | CRITICAL | 9.8 | Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and … | Jun 20, 2026 |
| CVE-2026-12673 | UNKNOWN | — | Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability resulting in privilege escalation from an Admin in a secondary domain to a … | Jun 20, 2026 |
| CVE-2022-50972 | CRITICAL | 9.8 | WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers … | Jun 20, 2026 |
| CVE-2020-37255 | HIGH | 7.5 | WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with … | Jun 20, 2026 |
| CVE-2019-25763 | CRITICAL | 9.8 | WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login … | Jun 20, 2026 |
| CVE-2026-48939 | UNKNOWN | — | A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload … | Jun 20, 2026 |
| CVE-2026-48909 | UNKNOWN | — | SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server. | Jun 20, 2026 |
| CVE-2026-48908 | UNKNOWN | — | A vulnerability in the SP Page Builder for Joomla allows the upload of arbitrary files for unauthenticated users, ultimately resulting in PHP code upload and … | Jun 20, 2026 |
| CVE-2026-12119 | MEDIUM | 6.5 | The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in … | Jun 20, 2026 |
| CVE-2026-11912 | HIGH | 7.5 | The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, … | Jun 20, 2026 |
| CVE-2026-11911 | HIGH | 7.5 | The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all … | Jun 20, 2026 |
| CVE-2026-9843 | HIGH | 8.1 | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in … | Jun 20, 2026 |
| CVE-2026-9265 | UNKNOWN | — | Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap … | Jun 20, 2026 |
| CVE-2026-56216 | HIGH | 8.8 | Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty … | Jun 20, 2026 |
| CVE-2026-56215 | HIGH | 8.3 | Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers … | Jun 20, 2026 |
| CVE-2026-56214 | HIGH | 7.5 | Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints is_trial_org and is_paying_org that allows unauthenticated attackers to enumerate organizations and disclose … | Jun 20, 2026 |
| CVE-2026-56213 | MEDIUM | 5.3 | Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows … | Jun 20, 2026 |
| CVE-2026-56212 | LOW | 3.8 | Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for … | Jun 20, 2026 |