Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21880
Total
1559
Critical
6647
High
6994
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-56345 | HIGH | 8.1 | AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. … | Jun 20, 2026 |
| CVE-2026-56342 | MEDIUM | 6.8 | AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which … | Jun 20, 2026 |
| CVE-2026-56341 | HIGH | 7.5 | AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated … | Jun 20, 2026 |
| CVE-2026-56340 | HIGH | 8.8 | vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, … | Jun 20, 2026 |
| CVE-2025-71379 | MEDIUM | 4.3 | vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool … | Jun 20, 2026 |
| CVE-2026-5366 | CRITICAL | 9.9 | Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which … | Jun 20, 2026 |
| CVE-2026-56332 | MEDIUM | 4.7 | Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter … | Jun 20, 2026 |
| CVE-2026-56330 | LOW | 3.5 | Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft … | Jun 20, 2026 |
| CVE-2026-56325 | LOW | 3.1 | Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver, allowing underscore characters in app_id to … | Jun 20, 2026 |
| CVE-2026-56319 | MEDIUM | 4.3 | Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through … | Jun 20, 2026 |
| CVE-2026-56317 | UNKNOWN | — | Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without … | Jun 20, 2026 |
| CVE-2026-56307 | MEDIUM | 4.3 | Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops … | Jun 20, 2026 |
| CVE-2026-56304 | MEDIUM | 6.5 | picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this … | Jun 20, 2026 |
| CVE-2026-56295 | MEDIUM | 6.3 | Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission … | Jun 20, 2026 |
| CVE-2026-56294 | MEDIUM | 4.8 | capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic … | Jun 20, 2026 |
| CVE-2026-56282 | MEDIUM | 5.3 | Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /replication endpoint that exposes internal PostgreSQL replication telemetry including slot names and WAL LSN … | Jun 20, 2026 |
| CVE-2026-56276 | UNKNOWN | — | Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. … | Jun 20, 2026 |
| CVE-2026-56267 | UNKNOWN | — | Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker … | Jun 20, 2026 |
| CVE-2026-56235 | MEDIUM | 5.3 | Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without … | Jun 20, 2026 |
| CVE-2026-56228 | MEDIUM | 4.9 | Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can … | Jun 20, 2026 |
| CVE-2026-56227 | MEDIUM | 5.4 | Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing … | Jun 20, 2026 |
| CVE-2026-56218 | MEDIUM | 5.3 | Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract … | Jun 20, 2026 |
| CVE-2025-71331 | MEDIUM | 6.1 | Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject … | Jun 20, 2026 |
| CVE-2024-58351 | CRITICAL | 9.8 | Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and … | Jun 20, 2026 |
| CVE-2026-12673 | UNKNOWN | — | Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability resulting in privilege escalation from an Admin in a secondary domain to a … | Jun 20, 2026 |