Skip to main content
CVE-2026-27966 CRITICAL POC PATCH Act Now

Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary code execution through crafted CSV files. EPSS 0.41% with PoC and patch available.

Python RCE Command Injection AI / ML Langflow +1
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-27941 CRITICAL POC PATCH Act Now

Supply chain attack vector in OpenLIT GitHub Actions workflows. The pull_request_target trigger with checkout enables malicious PRs to execute code in the context of the base repository. PoC and patch available.

Github AI / ML Openlit Software Development Kit
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-27510 CRITICAL POC Act Now

Remote control vulnerability in Unitree Go2 robot dog firmware 1.1.7-1.1.11. The companion Android app allows remote attackers to take control of the robot. PoC available.

Android Python RCE SQLi Go2 Firmware
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-28215 CRITICAL POC Act Now

Unauthenticated infrastructure overwrite in Hoppscotch API development ecosystem before 2026.2.0. Attackers can overwrite the entire infrastructure configuration. PoC available.

Github Hoppscotch
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-27809 CRITICAL POC PATCH Act Now

Integer overflow in psd-tools Python library before 1.12.2 when processing malformed RLE-compressed PSD files leads to heap overflow. PoC and patch available.

Adobe Python Denial Of Service Psd Tools
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-50857 CRITICAL Act Now

Directory traversal in ZenTaoPMS v18.11 through v21.6.beta allows arbitrary code execution through /module/ai/control.php. EPSS 0.76%.

PHP Path Traversal AI / ML
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2026-27965 CRITICAL PATCH Act Now

Command injection in Vitess MySQL clustering system before 23.0.3/22.0.4. Users with read/write access to the backup store can achieve code execution. Patch available.

MySQL Vitess Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-27975 CRITICAL PATCH Act Now

Unauthenticated remote code execution in Ajenti server admin panel before 2.2.13. Unauthenticated users can gain full server access. Patch available.

Linux Ajenti
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28213 CRITICAL Act Now

Information disclosure in EverShop e-commerce platform before 2.1.1 through the Forgot Password functionality. API responses reveal sensitive information when invalid data is submitted.

Information Disclosure Evershop
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22207 CRITICAL Act Now

Broken access control in OpenViking through 0.1.18 allows unauthenticated attackers to gain full system access.

Authentication Bypass
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-27812 CRITICAL Act Now

Improper output encoding in Sub2API AI API gateway allows injection attacks. The platform distributes AI API quotas without properly encoding output.

XSS AI / ML Sub2api
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27804 CRITICAL PATCH Act Now

Weak cryptographic algorithm in Parse Server before 8.6.3/9.1.1-alpha.4 allows attackers to bypass security mechanisms. Patch available.

Node.js Parse Server
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy