CVE Vulnerabilities - 16 April 2026

An example code in Airflow's documentation uses a method to read data that can be exploited by a trusted user with UI access to run arbitrary code on the worker. This example is not intended for produ...

Vulnerabilities in ManageEngine PAM360 and Password Manager Pro allow attackers to inject malicious SQL code and potentially access sensitive data. If exploited, this could lead to unauthorized access...

A security issue in Luanti 5 before 5.15.2 allows a specially crafted module to potentially access sensitive data. This is a concern because it could allow unauthorized access to your system. You shou...

A vulnerability in the Vite+ `downloadPackageManager()` function allows an attacker to manipulate the file system outside the intended cache location, potentially leading to data loss or malicious fil...

DOMPurify's tag filtering can be bypassed, allowing forbidden tags to be added to HTML. This can happen when using both the 'ADD_TAGS' function and the 'FORBID_TAGS' list together. To fix this, update...

If you're using Authentik's non-default database session storage, deleting sessions won't log out users. This means users can keep accessing Authentik even after sessions are deleted. To fix this, upd...

An attacker can inject malicious code into PySpector plugins, allowing them to execute arbitrary code within the PySpector process. This happens because the plugin security validator has a list of for...

Flowise has a security issue that allows anyone to access sensitive OAuth tokens without logging in. This can happen if a public chatflow is configured with an OAuth credential. To fix this, users sho...

A security issue in the Mako templating library can allow access to sensitive files on your system if you pass untrusted input to it. This could let an attacker read any file that your system's user h...

If an attacker can access and modify the Eaton Intelligent Power Protector software package, they may be able to run unauthorized code on your computer. This is a significant risk, and we recommend up...

Flowise users are at risk of having their passwords reset by an unauthorized person, which could let them access the system without a password. This issue affects Flowise version 3.0.12. To fix the pr...

Flowise, a chatbot platform, allows unauthenticated access to chatflow configurations, which can reveal internal workflow data and OAuth credential identifiers. This can be used to obtain valid OAuth ...

Flowise, a business process management tool, has a security flaw that lets anyone access its system and execute commands with high-level privileges without needing a password. This means an attacker c...

Flowise allows attackers to execute arbitrary system commands without authentication by exploiting a flaw in its validation checks. This can happen if an attacker sends a specially crafted HTTP reques...

Flowise's public chatbot configuration API allows unauthorized access to sensitive data, including API keys and login credentials, by using a chatflow UUID. This can lead to data theft and unauthorize...

A setting in Kyverno's apiCall service mode automatically sends your Kubernetes ServiceAccount token to external websites, making it possible for attackers to steal your credentials. This is a securit...

Kyverno's apiCall service mode automatically shares a sensitive token with external or attacker-controlled websites, potentially allowing unauthorized access. This behavior is not documented and can b...

Kyverno, a Kubernetes policy engine, has a security issue that allows administrators of one namespace to read ConfigMaps from other namespaces. This is a serious security risk in multi-tenant clusters...

A vulnerability in Kyverno allows a user with admin privileges in one namespace to access ConfigMaps in other namespaces. This is a security risk in multi-tenant Kubernetes clusters. To fix this, upda...

Weblate's ZIP download feature in older versions didn't check files for safety, which could allow attackers to extract malicious code or content. This issue has been fixed in version 5.17, so update t...

Some parts of Flowise software can bypass security checks and make requests to any website, even if it's not supposed to. This means unauthorized access to sensitive data could occur. Update to the la...

A security issue allows low-privileged users to change global gym settings, potentially causing unintended consequences. This is because the system declares a permission requirement but doesn't enforc...

An attacker can send a malicious packet to a server running ASP.NET Core, causing it to consume excessive CPU resources. This can happen in versions of ASP.NET Core running on .NET 8.0 before 8.0.22 a...

An attacker could create a malformed cookie that bypasses authentik authentication when using certain reverse proxies. This could give an attacker access to your application. Update to authentik 2025....

Apache ActiveMQ versions 5.19.4 and earlier, and 6.0.0 to 6.2.3, are vulnerable to a denial of service attack that can cause the software to run out of memory when handling certain types of secure con...