Skip to main content
CVE-2026-6376 HIGH CISA Act Now

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function.

Information Disclosure Authentication Bypass Online Booking System
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-6375 HIGH CISA Act Now

A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access.

Authentication Bypass Online Booking System
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-70994 HIGH CISA Act Now

Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmission, allowing for complete unauthorized vehicle operation via a replay attack.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-40623 HIGH CISA Act Now

Unauthorized configuration tampering in SenseLive X3050 web management interface allows authenticated attackers to set critical system parameters (IP addressing, watchdog timers, reconnect intervals, service ports) to unsafe values, causing persistent device unavailability or operational instability. CISA ICS-CERT advisory confirms impact on industrial control systems. Network-accessible with low complexity (AV:N/AC:L) but requires low-privilege authentication (PR:L). High integrity and availability impact (VI:H/VA:H) with zero confidentiality impact. No public exploit identified at time of analysis.

Authentication Bypass X3050
NVD GitHub
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-41247 HIGH PATCH GHSA This Week

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg (background color) parameter is accepted from user input and passed through image resize/rotate processing. In configurations that use the ImageMagick CLI backend, this value is incorporated into shell command strings without sufficient escaping. An attacker able to invoke the resize command with a crafted bg value may achieve arbitrary command execution as the web server process user. This vulnerability is fixed in 2.1.67.

Command Injection Elfinder
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.4%
CVE-2026-41138 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input is directly applied to the question parameter within the prompt template and it is reflected to the Python code without any sanitization. This vulnerability is fixed in 3.1.0.

Python Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-41900 HIGH PATCH GHSA This Week

A critical Remote Code Execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbitrary command execution. The issue has been fixed.

Command Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-41208 HIGH PATCH GHSA This Week

Command injection in Paperclip @paperclipai/server (versions <2026.416.0) allows authenticated agents to execute arbitrary OS commands on the server host. Attackers with Agent API credentials can escalate from agent runtime to full server host control by injecting malicious shell commands through the adapterConfig.workspaceStrategy.provisionCommand field during workspace provisioning. CVSS 8.8 (high) with network-accessible attack vector and low complexity. Vendor patch available in version 2026.416.0. No public exploit or CISA KEV listing identified at time of analysis, but the vulnerability breaks critical trust boundaries in multi-agent AI orchestration systems.

Node.js Command Injection Privilege Escalation RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-33318 HIGH PATCH GHSA This Week

{ const session = validateSession(req, res); // only checks token validity if (!session) return; const { error } = changePassword(req.body.password); // no isAdmin() check ``` **`packages/sync-server/src/accounts/password.js:113-125`** - `changePassword()` updates the hash with no current-password confirmation: ```js export function changePassword(newPassword) { accountDb.mutate("UPDATE auth SET extra_data = ? WHERE method = 'password'", [hashed]); } ``` **`packages/sync-server/src/accounts/password.js:56-62`** - `loginWithPassword()` always authenticates as the user with `user_name = ''`, which is created by the multiuser migration with `role = 'ADMIN'`: ```js const sessionRow = accountDb.first( 'SELECT * FROM sessions WHERE auth_method = ?', ['password'] ); ``` **`packages/sync-server/src/account-db.js:56-63`** - a client can force the `password` login method regardless of server configuration by sending `loginMethod` in the request body: ```js if (req.body.loginMethod && config.get('allowedLoginMethods').includes(req.body.loginMethod)) { return req.body.loginMethod; } ``` When a server is migrated from password → OpenID via `enableOpenID()`, the password row is set to `active = 0` but **never deleted**, leaving it available for exploitation. --- **Prerequisites:** Server originally bootstrapped with password auth, then switched to OpenID. Default `allowedLoginMethods` configuration (includes `password`). Attacker has any valid OpenID session token (any role). ```bash curl -s -X POST https://<host>/account/change-password \ -H "Content-Type: application/json" \ -H "X-Actual-Token: <any_valid_session_token>" \ -d '{"password": "attacker123"}' curl -s -X POST https://<host>/account/login \ -H "Content-Type: application/json" \ -d '{"loginMethod": "password", "password": "attacker123"}' ``` The returned token belongs to the `user_name = ''` admin account (created by `1719409568000-multiuser.js`). Verify admin access: ```bash curl -s https://<host>/account/validate \ -H "X-Actual-Token: <admin_token>" ``` --- **Privilege escalation** - any authenticated user can gain full `ADMIN` access on affected deployments. An ADMIN can manage all users, access all budget files regardless of ownership, modify file access controls, and change server configuration. Affected deployments: multi-user servers running OpenID Connect that were previously configured with password authentication. Servers bootstrapped exclusively with OpenID from initial setup are not affected (no password row exists in the `auth` table). --- **1. Restrict `POST /account/change-password` to password-authenticated sessions only** (`packages/sync-server/src/app-account.js`) The endpoint should reject requests from sessions that were authenticated via OpenID. The active auth method can be checked against the session's `auth_method` field or by querying the `auth` table for the currently active method. If the server is running in OpenID mode, this endpoint should return `403 Forbidden`. **2. Require current-password confirmation before accepting a new password** (`packages/sync-server/src/accounts/password.js`) `changePassword()` should accept the current password as a parameter and verify it against the stored hash before applying the update. This prevents any session (even a legitimate password session) from silently overwriting the credential without proving possession of the existing one. **3. Enforce `active` status and remove client control over login method selection** (`packages/sync-server/src/account-db.js` - `getLoginMethod()`) Two issues exist in `getLoginMethod()`: (a) a client can supply `loginMethod` in the request body to select any method listed in `allowedLoginMethods`, regardless of whether it is currently active on the server; (b) the function does not check the `active` column, so an administratively disabled method (e.g. `password` after migrating to OpenID) remains accessible. The fix is to determine the permitted method server-side from `WHERE active = 1` in the `auth` table and ignore any client-supplied `loginMethod` override entirely. Servers intentionally running both methods simultaneously can be supported by allowing multiple `active = 1` rows rather than relying on client input. **4. Immediate mitigation for existing deployments (OpenID-only servers)** Administrators who have fully migrated to OpenID and do not need password auth can remove the orphaned row: ```sql DELETE FROM auth WHERE method = 'password'; ``` Missing authorization on POST /change-password - allows overwriting a password hash, but only matters if there is an orphaned row to target. Orphaned password row persisting after migration - provides the target row, but is harmless without the ability to authenticate using it. Client-controlled loginMethod: "password" - allows forcing password-based auth, but is useless without a known hash established by step 1. All three must be chained in sequence to achieve the impact. No single weakness independently results in privilege escalation, which under CVE CNA rule 4.1.2 means they should not each be treated as standalone vulnerabilities. The single root cause is the missing authorization check on /change-password; the other two are preconditions that make it exploitable. A single CVE reflecting that root cause is the appropriate representation - splitting them would falsely imply each carries independent risk.

Authentication Bypass Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-35225 HIGH PATCH This Week

An unauthenticated remote attacker is able to exhaust all available TCP connections in the CODESYS EtherNet/IP adapter stack, preventing legitimate clients from establishing new connections.

Information Disclosure Codesys Ethernetip
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41349 HIGH PATCH This Week

OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-40062 HIGH This Week

Remote unauthenticated attackers can access sensitive operating system files in Ziostation2 medical imaging software v2.9.8.7 and earlier via path traversal, achieving high confidentiality impact. The vulnerability requires no authentication, low attack complexity, and no user interaction (CVSS:4.0 AV:N/AC:L/PR:N/UI:N), making it easily exploitable from the network. While not currently listed in CISA KEV and lacking public exploit code at time of analysis, the trivial exploitation conditions and exposure of medical system data present significant risk to healthcare organizations using affected versions.

Path Traversal Ziostation2
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41040 HIGH This Week

Remote denial of service via regular expression attack in GROWI allows unauthenticated network attackers to exhaust server resources by submitting maliciously crafted input strings that trigger catastrophic backtracking in regex processing (CWE-1333). GROWI, Inc.'s collaboration platform is vulnerable to ReDoS with a CVSS 4.0 base score of 8.7 (High), reflecting high availability impact through network-accessible, low-complexity exploitation requiring no privileges or user interaction. No CISA KEV listing or public exploit code identified at time of analysis, though vendor advisory confirms the vulnerability and provides remediation guidance.

Denial Of Service Growi
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41278 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image. Both public-chatflows AND public-chatbotConfig return completely raw flowData including credential IDs, plaintext API keys, and password-type fields. This vulnerability is fixed in 3.1.0.

Docker Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-41241 HIGH PATCH GHSA This Week

pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record. This vulnerability is fixed in 2026.1.0.

XSS Pretalx
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-6903 HIGH PATCH This Week

Path traversal in Zurich Instruments LabOne Web Server allows unauthenticated remote attackers to read arbitrary files accessible to the LabOne process. The vulnerability combines insufficient input validation (CWE-22) with missing CORS restrictions, enabling direct exploitation or browser-based attacks via malicious websites. EPSS data not available, but the network-accessible unauthenticated attack vector (AV:N/PR:N/UI:N) combined with vendor-confirmed patch indicates active vendor response to a readily exploitable information disclosure flaw. Exploitation limited to installations running the Web Server component; API-only deployments are unaffected.

Path Traversal Labone
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-26150 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.

Microsoft SSRF
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-41200 HIGH PATCH This Week

Reflected Cross-Site Scripting in STIG Manager 1.5.10 through 1.6.7 enables arbitrary JavaScript execution during OIDC authentication error handling. Attackers crafting malicious redirect URLs can exploit unsanitized error parameters written directly to DOM via innerHTML. When victims with active sessions follow these links, injected code executes in application context with access to SharedWorker-managed authentication tokens, enabling authenticated API requests to read and modify STIG assessment collection data. CVSS 8.5 reflects high confidentiality and integrity impact despite requiring user interaction. No public exploit identified at time of analysis; vendor-released patch available in version 1.6.8.

XSS Stig Manager
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-41230 HIGH PATCH GHSA This Week

DNS zone file injection in Froxlor versions prior to 2.3.6 allows authenticated customers to inject arbitrary BIND directives and DNS records through unvalidated record types and unsanitized newline characters. Attackers with low-privilege customer accounts can manipulate DNS resolution for managed domains by embedding malicious directives like $INCLUDE, $ORIGIN, or $GENERATE into zone files, potentially redirecting traffic, creating unauthorized records, or disrupting DNS services. CVSS 8.5 with scope change indicates impact beyond the vulnerable component. Vendor patch released in version 2.3.6 (GitHub commit 47a8af5d). No CISA KEV listing or public exploit identified at time of analysis, but attack complexity is low (AC:L) for authenticated users.

Authentication Bypass Froxlor
NVD GitHub VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-41336 HIGH PATCH This Week

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code.

RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-41211 HIGH PATCH GHSA This Week

Path traversal in Vite+ downloadPackageManager() allows local attackers to write or delete arbitrary files outside the intended cache directory. The vulnerability affects Vite+ versions before 0.1.17 and stems from inadequate input validation on the version parameter, enabling directory traversal via '../' sequences or absolute paths. Attackers with local access can manipulate filesystem operations to compromise system integrity and availability (CVSS 8.4, VI:H/VA:H). No public exploit identified at time of analysis, but exploitation requires minimal technical complexity (AC:L) and no authentication (PR:N). Vendor-released patch available in version 0.1.17.

Path Traversal Vite Plus
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-32679 HIGH This Week

DLL hijacking in LiveOn Meet Client and Canon Network Camera Plugin installers allows local attackers to execute arbitrary code with installer privileges when users run vulnerable installer executables from directories containing malicious DLLs. The flaw affects four installer executables (Downloader5Installer.exe, Downloader5InstallerForAdmin.exe, CanonNWCamPlugin.exe, CanonNWCamPluginForAdmin.exe) version 1.0.0.0. No public exploit identified at time of analysis, though the attack technique is well-documented. CVSS 8.4 (High) reflects significant impact contingent on user interaction and attacker's ability to place malicious files in the installer directory before execution - real-world risk depends heavily on organizational download practices and endpoint controls preventing untrusted DLL placement.

Information Disclosure Microsoft
NVD VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-6921 HIGH PATCH This Week

Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

Race Condition Information Disclosure Microsoft Google Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-41271 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.

SSRF Flowise Flowise Components
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-41259 HIGH PATCH This Week

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.

Information Disclosure Mastodon
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-41279 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential (e.g., OpenAI or ElevenLabs API key) and generate speech. This vulnerability is fixed in 3.1.0.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-28525 HIGH PATCH This Week

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read that writes data beyond the allocated receive buffer to a local IPC socket.

Integer Overflow Denial Of Service Swupdate
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-41246 HIGH PATCH GHSA This Week

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value that results in arbitrary code execution in the Envoy proxy. The cookie rewriting feature is internally implemented using Envoy's HTTP Lua filter. User-controlled values are interpolated into Lua source code using Go text/template without sufficient sanitization. The injected code only executes when processing traffic on the attacker's own route, which they already control. However, since Envoy runs as shared infrastructure, the injected code can also read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance. This vulnerability is fixed in v1.33.4, v1.32.5, and v1.31.6.

Kubernetes Denial Of Service Code Injection RCE Contour
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-41267 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata, timestamps, organization association, and role mappings, breaking trust boundaries in a multi-tenant environment. This vulnerability is fixed in 3.1.0.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-32172 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network.

Microsoft Authentication Bypass
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-31532 HIGH PATCH This Week

Use-after-free in Linux kernel CAN raw socket implementation allows local authenticated attackers to corrupt memory and potentially achieve code execution. The vulnerability stems from premature deallocation of percpu uniq storage in raw_release() while raw_rcv() may still access it via deferred RCU callbacks. Patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS exploitation probability remains low (0.02%, 5th percentile) with no active exploitation confirmed at time of analysis.

Information Disclosure Linux Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34001 HIGH PATCH This Week

A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.

Buffer Overflow Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34003 HIGH PATCH This Week

A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash, leading to a Denial of Service (DoS). In certain configurations, higher impact outcomes may be possible.

Buffer Overflow Information Disclosure Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-33999 HIGH PATCH This Week

A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-safety violations and potentially a denial of service (DoS) or other severe impacts.

Integer Overflow Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-41352 HIGH PATCH This Week

OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation.

Authentication Bypass RCE Openclaw
NVD GitHub
CVSS 4.0
7.7
EPSS
0.4%
CVE-2026-41276 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the resetPassword method of the AccountService class. There is no check performed to ensure that a password reset token has actually been generated for a user account. By default the value of the reset token stored in a users account is null, or an empty string if they've reset their password before. An attacker with knowledge of the user's email address can submit a request to the "/api/v1/account/reset-password" endpoint containing a null or empty string reset token value and reset that user's password to a value of their choosing. This vulnerability is fixed in 3.1.0.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-41273 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth credential identifiers, which can then be used to refresh and obtain valid OAuth 2.0 access tokens without authentication. This vulnerability is fixed in 3.1.0.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-41266 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. This vulnerability is fixed in 3.1.0.

Information Disclosure Flowise
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-41205 HIGH PATCH GHSA This Week

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.

Python Path Traversal
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-40886 HIGH PATCH GHSA This Week

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() function causes a controller-wide panic when a workflow pod carries a malformed workflows.argoproj.io/pod-gc-strategy annotation. Because the panic occurs inside an informer goroutine (outside the controller's recover() scope), it crashes the entire controller process. The poisoned pod persists across restarts, causing a crash loop that halts all workflow processing until the pod is manually deleted. This vulnerability is fixed in 4.0.5 and 3.7.14.

Kubernetes Denial Of Service Argo Workflows
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-41277 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities. Because the service uses repository.save() with a client-supplied primary key, the POST create endpoint behaves as an implicit UPSERT operation. This enables overwriting existing DocumentStore objects. In multi-workspace or multi-tenant deployments, this can lead to cross-workspace object takeover and broken object-level authorization (IDOR), allowing an attacker to reassign or modify DocumentStore objects belonging to other workspaces. This vulnerability is fixed in 3.1.0.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-41353 HIGH PATCH This Week

OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profiles at runtime to access restricted profiles and bypass intended access controls.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-34587 HIGH PATCH GHSA This Week

{{ query }}` or `{< query >}` that are then evaluated to a static value. Because the queries are defined in the blueprint, they can be trusted and cannot be controlled by attackers. However, dynamic options can often not be trusted. This is why the "options from query" and "options from API" modes are intended to resolve the option values and text strings based on queries not defined within the data source but within the blueprint. Unfortunately, the results of these trusted queries on untrusted source data are run through the query parser a second time in affected Kirby releases. Because of the double-resolution of dynamic option values and text strings, attackers could place malicious query templates such as `{{ users.first.password }}` or `{{ page.delete }}` in the option sources such as page titles or external API data controlled by the attacker. These queries would then be executed when the field is loaded in the Panel. When the attacker directly accesses the respective Panel view, they could get access to information normally hidden from them. As the malicious query templates are loaded for all users, it could also lead to malicious write access when another user with a higher permission level accesses the manipulated Panel view. The problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In all of the mentioned releases, Kirby has updated the `Options` logic to no longer double-resolve queries in option values coming from `OptionsQuery` or `OptionsApi` sources. Kirby now only resolves queries that are directly configured in the blueprints. Kirby thanks to @offset for responsibly reporting the identified issue.

Ssti RCE
NVD GitHub
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-41231 HIGH PATCH GHSA This Week

Symlink-based privilege escalation in Froxlor versions prior to 2.3.6 allows authenticated customers to gain ownership of arbitrary system directories. When the ExportCron executes as root, it performs 'chown -R' on user-controlled export paths that bypass symlink validation (introduced to fix CVE-2023-6069), enabling attackers to place symbolic links and hijack ownership of critical system files. This is a regression of the CVE-2023-6069 fix where DataDump.add() failed to apply the same symlink protections used elsewhere. EPSS data unavailable; no evidence of active exploitation (not in CISA KEV), but the specific vulnerability class (symlink following in privileged operations) has well-known exploitation patterns. Patch available in version 2.3.6.

Authentication Bypass Froxlor
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41275 HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle (MITM) attack, where an attacker on the same network as the user (e.g., public Wi-Fi) can intercept the reset link and gain unauthorized access to the victim’s account. This vulnerability is fixed in 3.1.0.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-41180 HIGH PATCH GHSA This Week

Path traversal in PsiTransfer versions before 2.4.3 enables remote code execution through malicious file uploads. An attacker exploits URL encoding inconsistencies in the upload validation flow to write attacker-controlled JavaScript configuration files outside the intended upload directory. When the application restarts, these injected config files execute with application privileges, granting the attacker persistent code execution. Vendor patch released in v2.4.3 addresses the encoding mismatch between validation and file-write operations. CVSS 7.5 reflects high attack complexity and required user interaction, limiting immediate mass exploitation risk despite the severe RCE impact.

Path Traversal Psitransfer
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41564 HIGH PATCH This Week

PRNG state reuse across forked processes in CryptX for Perl allows remote attackers to recover private signing keys through cryptographic nonce-reuse attacks. When Crypt::PK objects are created before fork() in preforking web servers like Starman, every child process inherits identical PRNG state, causing duplicate randomness in cryptographic operations. Two ECDSA or DSA signatures generated by different worker processes are sufficient to mathematically recover the private key. EPSS exploitation probability is low (0.02%), but CISA SSVC framework confirms proof-of-concept availability and automatable exploitation. Vendor patch released in CryptX 0.088.

Information Disclosure Cryptx
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-6732 HIGH PATCH This Week

A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.

Memory Corruption Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +4
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33694 HIGH POC This Week

This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code execution, whereby an attacker may exploit the vulnerability to execute malicious code with elevated SYSTEM privileges.

RCE Tenable Nessus Tenable Nessus Agent
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-41342 HIGH PATCH GHSA This Week

OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious gateways and capture gateway credentials or traffic.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy