Common Vulnerabilities and Exposures (CVE)

CVE-2026-59259

Jul 15, 2026 11:47:00 UTC

n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with ...

CVE-2026-61869

Jul 15, 2026 11:25:54 UTC

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the MIFF encoder that occurs when a memory allocation fails during MIFF image processing, which can lead to denial of service.

CVE-2026-61866

Jul 15, 2026 11:25:51 UTC

ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the JNG encoder when a blob cannot be opened. Attackers can trigger the memory leak by providing malformed JNG files that fail blob operations, causing resource exhaustion.

CVE-2026-61440

Jul 15, 2026 11:25:41 UTC

PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member pr...

CVE-2026-61435

Jul 15, 2026 11:25:39 UTC

PraisonAI before 4.6.78 contains an authentication bypass in the Call API agent invocation endpoints (src/praisonai/praisonai/api/agent_invoke.py) when PRAISONAI_CALL_AUTH=disabled is configured. The safeguard intended to restrict the disab...

CVE-2026-61427

Jul 15, 2026 11:25:37 UTC

PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks when an API key is configured. When an oper...

CVE-2026-57996

Jul 15, 2026 11:25:33 UTC

phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in the user/add API endpoint that allows non-SuperAdmin administrators to create SuperAdmin accounts. A delegated administrator with USER_ADD/EDIT/DELETE permissions can ca...

CVE-2026-56400

Jul 15, 2026 11:25:31 UTC

open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with allow_origins=* and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the ope...

CVE-2026-56353

Jul 15, 2026 11:25:29 UTC

n8n contains an authentication bypass in the Chat Trigger node when configured with n8n User Auth (a non-default configuration). In affected releases — before 1.123.22, the 2.0.0 through 2.9.2 line, and 2.10.0 — the authentication check on ...

CVE-2026-56339

Jul 15, 2026 11:25:27 UTC

Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescind_invitation that allows unauthenticated attackers to enumerate organization existenc...

CVE-2026-47295

Jul 15, 2026 11:16:30 UTC

Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network.

CVE-2026-50367

Jul 15, 2026 11:16:16 UTC

Incorrect access of indexable resource ('range error') in Windows Sensor Data Service allows an authorized attacker to elevate privileges locally.

CVE-2026-50369

Jul 15, 2026 11:16:03 UTC

Use after free in Windows Remote Desktop Services allows an authorized attacker to elevate privileges over a network.

CVE-2026-58536

Jul 15, 2026 11:15:34 UTC

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

CVE-2026-47305

Jul 15, 2026 11:15:19 UTC

Protection mechanism failure in Visual Studio allows an unauthorized attacker to execute code locally.