| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41264 | Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability | FlowiseAI | Flowise | - | - | 2026-04-23 20:00:19 | Deep Dive |
| CVE-2026-41265 | Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability | FlowiseAI | Flowise | - | - | 2026-04-23 19:58:52 | Deep Dive |
| CVE-2026-41279 | Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials | FlowiseAI | Flowise | - | - | 2026-04-23 19:53:15 | Deep Dive |
| CVE-2026-41278 | Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs | FlowiseAI | Flowise | - | - | 2026-04-23 19:52:21 | Deep Dive |
| CVE-2026-41276 | Flowise: AccountService resetPassword Authentication Bypass Vulnerability | FlowiseAI | Flowise | - | - | 2026-04-23 19:49:26 | Deep Dive |
| CVE-2026-41277 | Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR) | FlowiseAI | Flowise | - | - | 2026-04-23 19:48:58 | Deep Dive |
| CVE-2026-25874 | LeRobot Unsafe Deserialization Remote Code Execution via gRPC | Hugging Face | LeRobot | - | - | 2026-04-23 19:45:01 | Deep Dive |
| CVE-2026-41275 | Flowise: Password Reset Link Sent Over Unsecured HTTP | FlowiseAI | Flowise | - | - | 2026-04-23 19:33:44 | Deep Dive |
| CVE-2026-41273 | Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow | FlowiseAI | Flowise | - | - | 2026-04-23 19:29:17 | Deep Dive |
| CVE-2026-41271 | Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains | FlowiseAI | Flowise | - | - | 2026-04-23 19:17:40 | Deep Dive |
| CVE-2026-41272 | Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) | FlowiseAI | Flowise | High | 7.1 | 2026-04-23 19:16:08 | Deep Dive |
| CVE-2026-41270 | Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox | FlowiseAI | Flowise | High | 7.1 | 2026-04-23 19:15:15 | Deep Dive |
| CVE-2026-41269 | Flowise: File Upload Validation Bypass in createAttachment | FlowiseAI | Flowise | High | 7.1 | 2026-04-23 19:14:27 | Deep Dive |
| CVE-2026-41268 | Flowise: Flowise Parameter Override Bypass Remote Command Execution | FlowiseAI | Flowise | - | - | 2026-04-23 19:13:36 | Deep Dive |
| CVE-2026-41267 | Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association | FlowiseAI | Flowise | High | 8.1 | 2026-04-23 19:12:27 | Deep Dive |
| CVE-2026-41266 | Flowise: Sensitive Data Leak in public-chatbotConfig | FlowiseAI | Flowise | - | - | 2026-04-23 19:11:33 | Deep Dive |
| CVE-2026-41137 | Flowise: Code Injection in CSVAgent leads to Authenticated RCE | FlowiseAI | Flowise | - | - | 2026-04-23 19:10:38 | Deep Dive |
| CVE-2026-41138 | Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. | FlowiseAI | Flowise | - | - | 2026-04-23 19:05:22 | Deep Dive |
| CVE-2026-41259 | Mastodon: Insufficient verification of email addresses | mastodon | mastodon | - | - | 2026-04-23 18:55:21 | Deep Dive |
| CVE-2026-41205 | Mako: Path traversal via double-slash URI prefix in TemplateLookup | sqlalchemy | mako | - | - | 2026-04-23 18:52:24 | Deep Dive |