|
181
|
- |
|
-
|
-
|
Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the…
New
|
CWE-73
External Control of File Name or Path
|
CVE-2025-71333
|
2026-06-27 01:19 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
182
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in …
New
|
CWE-73
External Control of File Name or Path
|
CVE-2025-71334
|
2026-06-27 01:19 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
183
|
8.1 |
HIGH
Network
|
-
|
-
|
Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active sessi…
New
|
CWE-613
Insufficient Session Expiration
|
CVE-2025-71335
|
2026-06-27 01:19 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
184
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such…
New
|
CWE-78
OS Command
|
CVE-2025-71336
|
2026-06-27 01:19 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
185
|
10.0 |
CRITICAL
Network
|
-
|
-
|
Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can e…
New
|
CWE-73
External Control of File Name or Path
|
CVE-2025-71338
|
2026-06-27 01:19 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
186
|
8.1 |
HIGH
Network
|
-
|
-
|
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forg…
New
|
CWE-347
Improper Verification of Cryptographic Signature
|
CVE-2026-11800
|
2026-06-27 01:19 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
187
|
8.5 |
HIGH
Network
|
-
|
-
|
A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An at…
New
|
CWE-611
XXE
|
CVE-2026-12975
|
2026-06-27 01:19 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
188
|
7.4 |
HIGH
Network
|
-
|
-
|
A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker …
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-12992
|
2026-06-27 01:19 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
189
|
6.5 |
MEDIUM
Network
|
-
|
-
|
A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An at…
New
|
CWE-776
XML Entity Expansion
|
CVE-2026-12993
|
2026-06-27 01:19 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
190
|
6.9 |
MEDIUM
Network
|
-
|
-
|
A flaw was found in the Pen Drive report generator. Cluster-sourced data is rendered into HTML reports without proper escaping or sanitization. An attacker with cluster administrator privileges can i…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-13083
|
2026-06-27 01:19 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
