CVE Vulnerabilities - 16 April 2026

Flowise's GraphCypherQAChain node in Flowise allows attackers to inject malicious commands into the Neo4j database connected to the chatflow, potentially leading to data exfiltration, modification, or...

Flowise's password reset links are sent over an insecure internet connection, making it possible for someone on the same network to intercept the link and access your account. This is a security risk,...

An attacker with an authenticated account can execute arbitrary system commands on the server, allowing them to access sensitive information. This can happen if a malicious user provides custom code t...

An attacker can execute arbitrary code on the Flowise server by importing a malicious CSV file, even when authenticated. To fix this, update the CSVAgent code to sanitize user input and prevent code e...

Dgraph database versions 25.3.1 and earlier expose an admin token to anyone who can access the database's debug endpoint. This allows anyone to access sensitive administrative functions and make chang...

The Simple Music Cloud Community System's user view feature is at risk of being compromised by malicious input, potentially allowing attackers to access sensitive data. This means that hackers could p...

A security issue in LuaJIT, used in Luaanti 5, allows an attacker to gain unauthorized access. This affects systems that use LuaJIT with Luaanti 5 before version 5.15.2. To fix this, update Luaanti to...

A specific configuration of OAuth2 Proxy allows unauthorized access to protected resources. This happens when using a health check with a custom User-Agent and an auth_request-style integration. To fi...

Apache APISIX users are at risk of having malicious headers injected into their system if they're using the forward-auth plugin and haven't upgraded to version 3.16.0 or later. This could allow an att...

Budibase's authentication system has a flaw that allows attackers to access protected endpoints without logging in. This happens when an attacker adds a public endpoint path as a query parameter to a ...

When using certain Fastify plugins, authentication checks may not work for routes in child plugins. This means unauthorized users might be able to access those routes. To fix this, upgrade to the late...

Certain requests can skip security checks in Clerk's middleware, allowing unauthorized access to protected routes. This only affects middleware-level protection, not user authentication. To fix, updat...

Certain types of requests can bypass security checks on admin routes in Clerk JavaScript SDKs, allowing unauthorized access to protected areas. This does not affect user sessions or allow impersonatio...

A specific type of complex GraphQL document can crash the service running ChilliCream GraphQL Platform, causing it to restart. This can happen with a small payload of just 40 KB. To fix, update to the...

A security issue exists in the Payroll Management and Information System v1.0 that could allow an attacker to access sensitive employee data. This is a serious concern as it could lead to unauthorized...

A security issue in Fastify Express allows attackers to bypass authentication checks when using specific URL formats. This can lead to unauthorized access to sensitive areas of a website or applicatio...

Using a child plugin with Fastify Express can bypass authentication controls for certain routes. This is due to a bug that doubles the path of middleware, allowing unauthorized access to certain areas...

## Summary `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or ...

## Summary `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or ...

Versions of Authentik prior to 2024.8.3 and 2024.6.5 allow hackers to log in to any account with a known login or email address by sending a specific, malformed header. This is a significant security ...

SiYuan versions 3.6.3 and below allow malicious code to be executed when a user interacts with a specially crafted diagram. This can happen if a user opens a note with a malicious diagram and clicks o...

Fastify's handling of the Connection header can be exploited by attackers to remove proxy-added security headers, potentially compromising access control and security features. Affected applications u...

Trusted users in Apache Airflow can run malicious code on the server, potentially causing harm. This is a low-risk issue, but it's still important to update to the latest version of Apache Airflow to ...

Prior versions of authentik's SAML identity provider allowed attackers to inject fake identity information. This happened when certain security settings were not properly configured. Update to the lat...

An attacker with a Paperclip agent credential can run arbitrary commands on the Paperclip server host. This is a serious security risk because it allows an attacker to gain control of the server and p...