Skip to main content
CVE-2026-55255 HIGH POC KEV PATCH THREAT NEWS GHSA Act Now

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing the victim's flow UUID as the `model` value to the `/api/v1/responses` endpoint, exposing data the victim's flow processes and consuming their resources. The flaw is an Insecure Direct Object Reference (CWE-639) in the `get_flow_by_id_or_endpoint_name` helper, which skipped ownership checks on the UUID lookup path. Publicly available exploit code exists (a working curl PoC), and the input lists it as confirmed actively exploited (CISA KEV), though the SSVC exploitation status of 'poc' and a low 0.24% EPSS complicate that claim (see risk_assessment).

Python Authentication Bypass Information Disclosure Oracle
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.2%
Threat
4.7
CVE-2019-25756 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vaccount
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2019-25755 HIGH POC This Week

Joomla Component vReview 1.9.11 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vreview
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2019-25754 HIGH POC This Week

Joomla Component vRestaurant 1.9.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keysearch. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vrestaurant
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2019-25753 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Vmap
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2019-25752 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP SQLi Businessdirectory
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2019-25751 HIGH POC This Week

Joomla Component J-ClassifiedsManager 3.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Classifiedsmanager
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2019-25750 HIGH POC This Week

Joomla Component J-MultipleHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Multiplehotelreservation
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2017-20267 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Calendar Planner
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20266 HIGH POC This Week

Joomla SP Movie Database 1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the searchword. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Sp Movie Database
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20263 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Focalpoint Pro Free
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20262 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Ajax Quiz
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20261 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Bargain Product Vm3
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20260 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Price Alert
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20259 HIGH POC This Week

Joomla OSDownloads 1.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Osdownloads
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20258 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rpc
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20257 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Quiz Deluxe
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20256 HIGH POC This Week

Joomla Survey Force Deluxe 3.2.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the invite. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Survey Force Deluxe
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20255 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Jb Visa
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20254 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP User Bench
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20253 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi My Projects
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20252 HIGH POC This Week

Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the plname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Nextgen Editor
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2019-25748 HIGH POC This Week

Joomla JHotelReservation 6.0.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the rooms parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20270 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20269 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20268 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20282 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20281 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20277 HIGH POC This Week

Joomla JoomRecipe 1.0.4 component contains a blind SQL injection vulnerability in the search_author parameter on the search results page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2017-20280 HIGH POC This Week

Joomla Component Myportfolio 3.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the pid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20279 HIGH POC This Week

Joomla Payage 2.05 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the aid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20278 HIGH POC This Week

Joomla Component JoomRecipe 1.0.3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the category parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20276 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20274 HIGH POC This Week

Joomla LMS King Professional 3.2.4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cp_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20273 HIGH POC This Week

Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20272 HIGH POC This Week

Joomla Ultimate Property Listing 1.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20271 HIGH POC This Week

Joomla StreetGuessr Game 1.1.8 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the catid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2017-20275 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2019-25758 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Vbizz
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.7%
CVE-2019-25762 HIGH POC This Week

Joomla!. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Joomproject
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2023-54357 HIGH POC This Week

Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Joomla Com Booking Component
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-71326 HIGH POC This Week

Local privilege escalation in Avast Antivirus 25.11 allows non-privileged Windows users to execute arbitrary code as SYSTEM by abusing an unquoted service path in the SecureLine service. Publicly available exploit code exists (Exploit-DB 52510), and the issue was reported by VulnCheck; no public exploit identified at time of analysis indicates wider active exploitation, but the low-complexity local vector makes this attractive for post-compromise escalation.

Code Injection Avast Antivirus
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2016-20090 HIGH POC This Week

Comodo Dragon Browser versions up to 52.15.25.663 contain a privilege escalation vulnerability in the DragonUpdater service due to an unquoted service path running with SYSTEM privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Privilege Escalation Dragon Browser
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2016-20089 HIGH POC This Week

Iperius Remote 1.7.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Iperius Remote
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2020-37252 HIGH POC This Week

Realtek Audio Service 1.0.0.55 contains an unquoted service path vulnerability in RtkAudioService64.exe that allows local attackers to escalate privileges by injecting malicious code. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Realtek Audio Service
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2023-54353 HIGH POC This Week

Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService that allows local attackers to execute arbitrary code by placing malicious executables in unquoted path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Chromacam
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2020-37254 HIGH POC This Week

Wondershare PDFelement 5.2.9 contains a privilege escalation vulnerability due to an unquoted service path in the WsAppService Windows service. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation Pdfelement
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2019-25747 HIGH POC This Week

Network Inventory Advisor 5.0.26.0 installs the niaservice service with an unquoted binary path that allows local attackers to escalate privileges by placing malicious executables in intermediate. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Network Inventory Advisor
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2016-20094 HIGH POC This Week

AnyDesk 2.5.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with SYSTEM privileges by exploiting the service installation. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Anydesk
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2016-20093 HIGH POC This Week

Wise Care 365 4.27 and Wise Disk Cleaner 9.29 contain unquoted service path vulnerabilities in the WiseBootAssistant and SpyHunter 4 Service respectively, allowing local users to execute arbitrary. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Wisecleaner
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
0.1%
Page 1 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy