Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-54601 |
|
Vulnerability in CVE-2026-54601 (CVE-2026-54601)
vulnerability in CVE-2026-54601 (CVE-2026-54601). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/core/dataset/collection/create/reTrainingCollection`.
|
| CVE-2026-43925 |
|
Vulnerability in CVE-2026-43925 (CVE-2026-43925)
vulnerability in CVE-2026-43925 (CVE-2026-43925). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-50281 |
|
Vulnerability in craftcms/cms (CVE-2026-50281)
vulnerability in craftcms/cms (CVE-2026-50281). Risk of unauthorized operations or information disclosure. Exploitable via ``newAttributes``. Mitigation: upgrade to `5.9.21` or later.
|
| CVE-2026-50160 |
|
Vulnerability in hoppscotch (CVE-2026-50160)
vulnerability in hoppscotch (CVE-2026-50160). Confidential information can be exposed externally. Exploitable via `POST /v1/onboarding/config`.
|
| CVE-2026-55223 |
|
Unsafe Deserialization in apache (CVE-2026-55223)
vulnerability in apache (CVE-2026-55223). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-48943 |
|
Vulnerability in c (CVE-2026-48943)
vulnerability in c (CVE-2026-48943). Risk of unauthorized operations or information disclosure. Exploitable via ``plg_user_k2``.
|
| CVE-2026-45687 |
|
Vulnerability in CVE-2026-45687 (CVE-2026-45687)
vulnerability in CVE-2026-45687 (CVE-2026-45687). Confidential information can be exposed externally. Mitigation: upgrade to `8.5.0` or later.
|
| CVE-2026-54515 |
|
Vulnerability in com.fasterxml.jackson.core:jackson-databind (CVE-2026-54515)
vulnerability in com.fasterxml.jackson.core:jackson-databind (CVE-2026-54515). Risk of unauthorized operations or information disclosure. Exploitable via ``contextual``. Mitigation: upgrade to `2.18.9` or later.
|
| CVE-2026-54516 |
|
Vulnerability in com.fasterxml.jackson.core:jackson-databind (CVE-2026-54516)
vulnerability in com.fasterxml.jackson.core:jackson-databind (CVE-2026-54516). Risk of unauthorized operations or information disclosure. Exploitable via ``MapperFeature.INFER_PROPERTY_MUTATORS``. Mitigation: upgrade to `3.1.4` or later.
|
| CVE-2026-55736 |
|
Vulnerability in privilege-escalation (CVE-2026-55736)
vulnerability in privilege-escalation (CVE-2026-55736). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-54351 |
|
Vulnerability in @budibase/server (CVE-2026-54351)
vulnerability in @budibase/server (CVE-2026-54351). Confidential information can be exposed externally. Exploitable via `POST /api/webhooks/trigger/`. Mitigation: upgrade to `3.39.9` or later.
|
| CVE-2026-56276 |
|
Vulnerability in CVE-2026-56276 (CVE-2026-56276)
vulnerability in CVE-2026-56276 (CVE-2026-56276). Risk of unauthorized operations or information disclosure. Exploitable via `PUT /api/v1/user`.
|
| CVE-2026-56142 |
|
Vulnerability in privilege-escalation (CVE-2026-56142)
vulnerability in privilege-escalation (CVE-2026-56142). Successful exploitation can lead to full system takeover.
|
| CVE-2026-42540 |
|
Vulnerability in CVE-2026-42540 (CVE-2026-42540)
vulnerability in CVE-2026-42540 (CVE-2026-42540). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-44495 |
|
Code Injection in axios (CVE-2026-44495)
code injection in axios (CVE-2026-44495). Confidential information can be exposed externally. Exploitable via ``Object.prototype.transformResponse``. Mitigation: upgrade to `1.15.0` or later.
|
| CVE-2026-44494 |
|
Vulnerability in axios (CVE-2026-44494)
vulnerability in axios (CVE-2026-44494). Confidential information can be exposed externally. Exploitable via `Authorization header`. Mitigation: upgrade to `1.15.0` or later.
|
| CVE-2026-48150 |
|
Vulnerability in @budibase/server (CVE-2026-48150)
vulnerability in @budibase/server (CVE-2026-48150). Confidential information can be exposed externally. Exploitable via `GET /api/global/self/api_key`. Mitigation: upgrade to `3.39.0` or later.
|
| CVE-2026-8327 |
|
Privilege Escalation in concrete5/concrete5 (CVE-2026-8327)
vulnerability in concrete5/concrete5 (CVE-2026-8327). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `9.5.1` or later.
|
| CVE-2026-47102 |
|
Authorization Flaw in litellm (CVE-2026-47102)
vulnerability in litellm (CVE-2026-47102). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `1.83.10` or later.
|
| CVE-2026-46625 |
|
Vulnerability in js-cookie (CVE-2026-46625)
vulnerability in js-cookie (CVE-2026-46625). Data can be tampered with by attackers. Exploitable via ``for...in``. Mitigation: upgrade to `3.0.7` or later.
|
| CVE-2026-46517 |
|
Code Injection in lmdeploy (CVE-2026-46517)
code injection in lmdeploy (CVE-2026-46517). Successful exploitation can lead to full system takeover. Exploitable via ``get_model_arch``.
|
| CVE-2026-6366 |
|
Vulnerability in drupal (CVE-2026-6366)
vulnerability in drupal (CVE-2026-6366). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `10.5.9, 10.6.7, 11.2.11, 11.3.7` or later.
|
| CVE-2026-46721 |
|
Vulnerability in evoweb/sf-register (CVE-2026-46721)
vulnerability in evoweb/sf-register (CVE-2026-46721). Risk of unauthorized operations or information disclosure. Exploitable via ``create``. Mitigation: upgrade to `13.2.4` or later.
|
| CVE-2026-45396 |
|
Vulnerability in open-webui (CVE-2026-45396)
vulnerability in open-webui (CVE-2026-45396). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/evaluations/feedback`. Mitigation: upgrade to `0.9.0` or later.
|
| CVE-2026-45058 |
|
Vulnerability in electerm (CVE-2026-45058)
vulnerability in electerm (CVE-2026-45058). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-46480 |
|
Vulnerability in flowise (CVE-2026-46480)
vulnerability in flowise (CVE-2026-46480). Successful exploitation can lead to full system takeover. Exploitable via `PUT /api/v1/evaluators/`. Mitigation: upgrade to `3.1.2` or later.
|
| CVE-2026-46479 |
|
Vulnerability in flowise (CVE-2026-46479)
vulnerability in flowise (CVE-2026-46479). Successful exploitation can lead to full system takeover. Exploitable via `PUT /api/v1/evaluations/`. Mitigation: upgrade to `3.1.2` or later.
|
| CVE-2026-46478 |
|
Vulnerability in flowise (CVE-2026-46478)
vulnerability in flowise (CVE-2026-46478). Successful exploitation can lead to full system takeover. Exploitable via `PUT /api/v1/datasetrows/`. Mitigation: upgrade to `3.1.2` or later.
|
| CVE-2026-46477 |
|
Vulnerability in flowise (CVE-2026-46477)
vulnerability in flowise (CVE-2026-46477). Successful exploitation can lead to full system takeover. Exploitable via `PUT /api/v1/datasets/`. Mitigation: upgrade to `3.1.2` or later.
|
| CVE-2026-46476 |
|
Vulnerability in flowise (CVE-2026-46476)
vulnerability in flowise (CVE-2026-46476). Successful exploitation can lead to full system takeover. Exploitable via `PUT /api/v1/customtemplates/`. Mitigation: upgrade to `3.1.2` or later.
|
| CVE-2026-46475 |
|
Vulnerability in flowise (CVE-2026-46475)
vulnerability in flowise (CVE-2026-46475). Successful exploitation can lead to full system takeover. Exploitable via `PUT /api/v1/assistants/`. Mitigation: upgrade to `3.1.2` or later.
|
| CVE-2026-46441 |
|
Vulnerability in flowise (CVE-2026-46441)
vulnerability in flowise (CVE-2026-46441). Confidential information can be exposed externally. Exploitable via `PUT /api/v1/assistants/{assistantId}`. Mitigation: upgrade to `3.1.2` or later.
|
| CVE-2026-42863 |
|
Vulnerability in flowise (CVE-2026-42863)
vulnerability in flowise (CVE-2026-42863). Confidential information can be exposed externally. Exploitable via `PUT /api/v1/chatflows/{chatflowId}`. Mitigation: upgrade to `3.1.2` or later.
|
| CVE-2026-42862 |
|
Vulnerability in flowise (CVE-2026-42862)
vulnerability in flowise (CVE-2026-42862). Risk of unauthorized operations or information disclosure. Exploitable via `PUT /api/v1/tools/{toolId}`. Mitigation: upgrade to `3.1.2` or later.
|
| CVE-2026-42861 |
|
Vulnerability in flowise (CVE-2026-42861)
vulnerability in flowise (CVE-2026-42861). Confidential information can be exposed externally. Exploitable via `PUT /api/v1/variables/{variableId}`. Mitigation: upgrade to `3.1.2` or later.
|
| CVE-2026-45229 |
|
Vulnerability in CVE-2026-45229 (CVE-2026-45229)
vulnerability in CVE-2026-45229 (CVE-2026-45229). Successful exploitation can lead to full system takeover. Exploitable via `POST /update`.
|
| CVE-2026-44635 |
|
Vulnerability in kysely (CVE-2026-44635)
vulnerability in kysely (CVE-2026-44635). Confidential information can be exposed externally. Exploitable via ``DefaultQueryCompiler.visitJSONPathLeg``. Mitigation: upgrade to `0.28.17` or later.
|
| CVE-2026-31252 |
|
Code Injection in deserialization (CVE-2026-31252)
code injection in deserialization (CVE-2026-31252). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-31251 |
|
Vulnerability in deserialization (CVE-2026-31251)
vulnerability in deserialization (CVE-2026-31251). Risk of unauthorized operations or information disclosure.
|
| CVE-2025-69690 |
|
Unsafe Deserialization in deserialization (CVE-2025-69690)
vulnerability in deserialization (CVE-2025-69690). Successful exploitation can lead to full system takeover.
|
| CVE-2025-69691 |
|
Vulnerability in pfsense (CVE-2025-69691)
vulnerability in pfsense (CVE-2025-69691). Successful exploitation can lead to full system takeover.
|
| CVE-2026-42264 |
|
Vulnerability in axios (CVE-2026-42264)
vulnerability in axios (CVE-2026-42264). Confidential information can be exposed externally. Exploitable via ``hasOwnProperty``. Mitigation: upgrade to `1.15.2` or later.
|
| CVE-2026-41139 |
|
Vulnerability in mathjs (CVE-2026-41139)
vulnerability in mathjs (CVE-2026-41139). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `15.2.0` or later.
|
| CVE-2026-33453 |
|
Vulnerability in apache (CVE-2026-33453)
vulnerability in apache (CVE-2026-33453). Successful exploitation can lead to full system takeover.
|
| CVE-2026-42041 |
|
Authentication Bypass in axios (CVE-2026-42041)
authentication bypass in axios (CVE-2026-42041). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `1.15.1` or later.
|
| CVE-2026-42044 |
|
Vulnerability in privilege-escalation (CVE-2026-42044)
vulnerability in privilege-escalation (CVE-2026-42044). Data can be tampered with by attackers. Mitigation: upgrade to `1.15.2` or later.
|
| CVE-2026-42033 |
|
Vulnerability in axios (CVE-2026-42033)
vulnerability in axios (CVE-2026-42033). Confidential information can be exposed externally. Mitigation: upgrade to `1.15.1` or later.
|
| CVE-2026-40897 |
|
Vulnerability in mathjs (CVE-2026-40897)
vulnerability in mathjs (CVE-2026-40897). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `15.2.0` or later.
|
| CVE-2026-40175 |
|
Vulnerability in axios (CVE-2026-40175)
vulnerability in axios (CVE-2026-40175). Risk of unauthorized operations or information disclosure. Exploitable via `GET /pings`. Mitigation: upgrade to `0.31.0` or later.
|
| CVE-2026-33228 |
|
Vulnerability in webreflection (CVE-2026-33228)
vulnerability in webreflection (CVE-2026-33228). Successful exploitation can lead to full system takeover.
|