CVE-2026-55450 is a critical vulnerability in Langflow, a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.1, the vulnerability allows unauthenticated users to upload any amount of data to the server without limitations, potentially leading to server space exhaustion. Additionally, the absolute path of the uploaded file is reported to the attacker in the response, whic [truncated]
CVE-2026-55255 is a critical vulnerability in Langflow, a tool for building and deploying AI-powered agents and workflows. The vulnerability is an Insecure Direct Object Reference (IDOR) in the /api/v1/responses endpoint, which allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability has a CVSS score of 9.9 and is [truncated]
CVE-2026-35019 is a critical authentication bypass vulnerability affecting NetComm NF20MESH routers with firmware R6B031 and earlier. The vulnerability stems from a hardcoded AES-256 key used to encrypt session cookies for the web management interface. This allows unauthenticated attackers to forge valid encrypted session cookies and bypass authentication checks, gaining full administrative control of the [truncated]
CVE-2026-27604 is a critical authorization bypass vulnerability in FOSSBilling, a free, open-source billing and client management system. The vulnerability allows unauthenticated access to privileged `/api/system/*` endpoints, enabling attackers to invoke admin API methods without valid credentials, session, or CSRF token. FOSSBilling version 0.8.0 patches the issue. Some workarounds are available, includ [truncated]
The CVE-2026-56315 vulnerability in picklescan before version 1.0.4 allows for remote code execution. This is due to the failure of picklescan to block at least seven Python standard library modules, including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib, which expose eight functions. These functions can be exploited by crafting malicious pickle files that import these unblocked modules, t [truncated]
CVE-2026-56258 is a critical vulnerability in Crawl4AI before version 0.8.8. The vulnerability allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use (TOCTOU) attacks on the output_path parameter. This can lead to potential code execution on systems where the runtime user has write access to executable or cron locations. The vulnerability h [truncated]
The Totolink EX1200L router is vulnerable to a buffer overflow in the login functionality of the cgi-bin/cstecgi.cgi endpoint. This vulnerability, CVE-2026-44089, could be exploited to cause the program to crash and execute code remotely. An attacker could perform actions as root, including reading and editing data, as well as bricking the router. The vulnerability has been confirmed in version 9.3.5u.614 [truncated]
CVE-2026-11374 is a critical vulnerability in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus. The issue allows an unauthenticated user to predict SSO tickets, potentially leading to account takeover. The vulnerability has a CVSS score of 9 and is considered critical. ManageEngine has released an advisory for this vulnerability. Users of these products should rev [truncated]
CVE-2026-34910 is a Critical vulnerability disclosed on 2026-05-22 affecting UniFi OS devices, where improper input validation could allow a network-accessible command injection. The NVD record rates the issue CVSS 10.0 with no privileges required and no user interaction, making it a high-priority exposure for any environment running the affected platform.
Published on 2026-05-22, CVE-2026-34909 is a critical path traversal vulnerability in UniFi OS devices. A network-accessible attacker could access files on the underlying system and, according to the CVE description, potentially manipulate that access to reach an underlying account. NVD rates the issue CVSS 3.1 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps it to CWE-22.
CVE-2026-34908 is a critical improper access control issue affecting UniFi OS devices. According to the CVE description and NVD metadata, a network-accessible attacker could abuse the flaw to make unauthorized changes to the system. The NVD record lists the issue as remotely exploitable with no privileges or user interaction required, and the impact is rated high across confidentiality, integrity, and availability.
CVE-2026-49468 is a critical vulnerability in the LiteLLM proxy server, which acts as an AI Gateway to call LLM APIs in OpenAI or native format. The vulnerability has a CVSS score of 9.5 and was published on June 22, 2026. The issue is fixed in version 1.84.0 of LiteLLM. Users of affected versions should upgrade to 1.84.0 to mitigate the vulnerability. The CVE record and NVD detail provide further informa [truncated]
