CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the dalStorage_addUserAccount function.
OpenRemote before version 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs.
A command injection vulnerability in ImageMagick before versions 7.1.2-15 and 6.9.13-40 exists in the SVG decoder. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions. This allows attackers to enumerate private channels and leak version/config state.
Flowise before 3.1.0 contains a server-side request forgery (SSRF) vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses and access cloud metadata.
Crawl4AI before version 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints, allowing unauthenticated attackers to write files outside the intended directory.
Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API.
Capgo before version 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to the PostgREST/RLS plane to access protected resources.
Capgo before version 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs, allowing tampering with account-level credentials.
Capgo before version 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations.
Plug has an efficiency issue in the nested-parameter decoder that allows an unauthenticated remote attacker to cause denial of service. The decoding algorithm's complexity is quadratic in relation to the number of nesting levels, which can lead to server unresponsiveness.
CafePlus has a vulnerability related to missing authentication for a critical function, allowing access to functionality not properly constrained by access control lists (ACLs). This issue affects versions from 12.05.03 before 12.05.04.
Picklescan before 0.0.29 fails to detect malicious pickle files, allowing attackers to embed undetected code in these files. This code can execute arbitrary commands when loaded by victims.
Picklescan before 0.0.28 fails to detect malicious torch.jit.unsupported_tensor_ops.execWrapper function calls embedded in pickle files. Attackers can craft malicious pickle files that bypass picklescan detection and execute arbitrary code when loaded via pickle.load().
Picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arbitrary code that evades picklescan detection and executes remote code when loaded.
Picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using profile.Profile.runctx in the reduce method to achieve remote code execution when the pickle file is loaded.
Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address without confirming the change to the original email address or re-entering the current password.
A vulnerability in Traefik before 2.10.5 and 3.0.0-beta4 allows a denial-of-service attack via rapid creation and cancellation of HTTP/2 streams (Rapid Reset technique). The issue originates from the Go standard library's HTTP/2 implementation.
A high privileged remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters.
The Frontend File Manager Plugin for WordPress up to version 23.6 does not properly enforce nonce checks on the file download handler, allowing unauthenticated attackers to download files uploaded by any user.

