CVE search
367,074 resultsCVE-2026-54021MEDIUMOpen WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameterEPSS 0.2%CVE-2026-54022MEDIUMOpen WebUI: Any authenticated user can read other users' private notes via Socket.IOEPSS 0.3%CVE-2026-48520MEDIUMLangflow: Unauthenticated Shareable Playground arbitrary local or S3 file readEPSS 0.3%CVE-2026-33760HIGHLangflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 EndpointsEPSS 0.3%CVE-2026-42867MEDIUMLangflow: Path Traversal in Knowledge Bases API via Creation EndpointEPSS 0.3%CVE-2026-55255HIGHLangflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's FlowEPSS 0.6%CVE-2026-55423MEDIUMLangflow: Logout button does not clear sessionEPSS 0.2%CVE-2026-55446HIGHLangflow: Unauthenticated DoS through multipart form boundary file uploadEPSS 0.3%CVE-2026-48519CRITICALLangflow: Unauthenticated RCE in Shareable PlaygroundsEPSS 0.7%CVE-2026-55447CRITICALLangflow: BaseFileComponent-based nodes arbitrary file read with RCE exploitEPSS 0.4%CVE-2026-56968LOWGNU SASL before 2.2.4 lacks sanitization of a short challenge in _gsasl_ntlm_client_step in the NTLM client, which could result in memory diEPSS 0.2%CVE-2026-55450CRITICALLangflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leakEPSS 0.3%CVE-2026-34913MEDIUMA missing access control check when linking trackers to campaigns through the campaign-trackers.php script of Revive Adserver 6.0.6 and earlEPSS 0.2%CVE-2026-34917MEDIUMLow‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restrictEPSS 0.3%CVE-2026-44956NONELow‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose cEPSS 0.3%CVE-2026-34916HIGHA missing validation of user input when saving delivery limitations in Revive Adserver 6.0.6 and earlier could allow a low‑privileged user tEPSS 0.5%CVE-2026-34914HIGHA missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier. A low‑privileged user could exploiEPSS 0.3%CVE-2026-44958MEDIUMAn access control bypass allows an advertiser‑level user to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when EPSS 0.3%CVE-2026-44961NONEThe XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernamEPSS 0.3%CVE-2026-44960NONEA stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected EPSS 0.3%