CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Jenkins Pipeline: Groovy Plugin version 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.
A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier allows attackers to instantiate types related to job or system configuration other than Pipeline steps through the Pipeline Snippet Generator.
Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent.
An HTML injection vulnerability in the Hono library before version 4.12.14 allows attackers to inject unintended HTML by using malformed attribute names during server-side JSX rendering. Specially crafted attribute keys containing characters like quotes or angle brackets can break HTML tag boundaries and inject arbitrary attributes or elements.
Stored XSS vulnerability in n8n before versions 1.123.25 (1.x) and 2.11.2 (2.x) (also fixed in 2.12.0) in the Form Trigger node's CSS sanitization allows authenticated users with workflow creation permissions to inject malicious scripts that execute persistently for all form visitors.
Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents email verification for two-factor authentication due to captcha validation failures.
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.exist_app_v2 RPC function that allows unauthenticated attackers to enumerate app_ids by calling POST /rest/v1/rpc/exist_app_v2 with arbitrary appid parameters.
Cap-go before version 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with such keys can access membership data from organizations outside their assigned scope.
Capgo before version 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons.
Flowise before version 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database breach scenario.
Flowise before version 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the TOKEN_HASH_SECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key used to encrypt user IDs and workspace IDs in the 'meta' field of JWT tokens. An attacker who knows the default secret can decrypt this metadata to extract internal user and workspace identifiers, and re-encrypt manipulated values such as altered user or workspace IDs.
Crawl4AI before version 0.8.7 contains an authentication bypass vulnerability in the monitor router endpoints that allows unauthenticated attackers to access destructive operations. Remote attackers can invoke the /monitor/actions/cleanup endpoint and manipulate monitoring state without authentication, causing service disruption.
CVE-2026-13163 describes an open redirect vulnerability in the _safe_redirect function of the click-tracking endpoint in Mailerup versions before 1.0.0. This allows remote unauthenticated attackers to redirect victims to arbitrary external sites, potentially leading to phishing attacks.
Flowise through version 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table.
In ccyl13 Pentestify version 1.0.0 and lower, there is a Server-Side Request Forgery (SSRF) vulnerability in the PDF generation endpoint. An attacker can exploit this flaw to send requests to arbitrary internal or external URLs, potentially leading to the exposure of sensitive data.
TortoiseGitBlame is vulnerable to argument injection via malicious Git history filenames, leading to arbitrary file write in TortoiseGit.
The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.1.2. This is due to missing or incorrect nonce validation on the motordesk_admin_home function.
The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.9. This is due to missing or incorrect nonce validation in the settings_form()/update_settings() functionality.
The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via crafted image src attributes in post content in versions up to and including 5.0.11. This is due to insufficient output escaping in the field() and loop() functions.
The Reviews and Rating – Docplanner plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action.

