|
511
|
9.6 |
CRITICAL
Network
|
n8n
|
n8n
|
n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to inject arbitrary SQL through unescaped identifier valu…
New
|
CWE-89
SQL Injection
|
CVE-2026-56351
|
2026-06-26 11:01 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
512
|
4.1 |
MEDIUM
Local
|
flowiseai
|
flowise
|
Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately …
New
|
CWE-916
Use of Password Hash With Insufficient Computational Effort
|
CVE-2026-56272
|
2026-06-26 11:01 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
513
|
7.5 |
HIGH
Network
|
flowiseai
|
flowise
|
Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's …
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-56270
|
2026-06-26 11:01 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
514
|
4.6 |
MEDIUM
Local
|
flowiseai
|
flowise
|
Flowise before 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in packages/server/src/enterprise/…
New
|
CWE-798
Use of Hard-coded Credentials
|
CVE-2026-56269
|
2026-06-26 11:01 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
515
|
6.5 |
MEDIUM
Network
|
kidocode
|
crawl4ai
|
Crawl4AI before 0.8.7 contains an authentication bypass vulnerability in the monitor router endpoints that allows unauthenticated attackers to access destructive operations. Remote attackers can invo…
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-56262
|
2026-06-26 11:00 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
516
|
8.8 |
HIGH
Network
|
flowiseai
|
flowise
|
Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON impor…
New
|
CWE-89
SQL Injection
|
CVE-2025-71332
|
2026-06-26 10:59 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
517
|
8.8 |
HIGH
Network
|
-
|
-
|
Subscriber PHP Object Injection in EventPrime <= 4.3.4.1 versions.
New
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-56053
|
2026-06-26 09:16 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
518
|
7.1 |
HIGH
Network
|
-
|
-
|
Unauthenticated Cross Site Scripting (XSS) in Master Slider <= 3.11.2 versions.
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-56014
|
2026-06-26 09:16 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
519
|
8.1 |
HIGH
Network
|
-
|
-
|
Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions.
New
|
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-54845
|
2026-06-26 09:16 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
520
|
9.3 |
CRITICAL
Network
|
-
|
-
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection.
This issue affects YMC Filter: from n/a through 3.11.5.
New
|
CWE-89
SQL Injection
|
CVE-2026-54836
|
2026-06-26 09:16 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
