5.3
CVE-2026-6599 - langflow-ai langflow Model Context Protocol Configuration API mcp_projects.py install_mcp_config inโฆ
A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file src/backend/base/langflow/api/v1/mcp_projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument Xโฆ
5.3
CVE-2026-6598 - langflow-ai langflow Project Creation Endpoint projects.py encrypt_auth_settings cleartext storage โฆ
A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument auth_settiโฆ
5.1
CVE-2026-6597 - langflow-ai langflow Flow Using API core.py has_api_terms credentials storage
A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiateโฆ
6.9
CVE-2026-6596 - langflow-ai langflow API Endpoint endpoints.py create_upload_file unrestricted upload
A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack rโฆ
6.9
CVE-2026-6595 - ProjectsAndPrograms School Management System HTTP GET Parameter buslocation.php sql injection
A vulnerability was identified in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This vulnerability affects unknown code of the file buslocation.php of the component HTTP GET Parameter Handler. The manipulation of the argument bus_id leads to sql injectโฆ
6.9
CVE-2026-6594 - brikcss merge prototype pollution
A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vโฆ
5.1
CVE-2026-6593 - ComfyUI View Endpoint server.py cross site scripting
A vulnerability was found in ComfyUI up to 0.13.0. Affected by this issue is some unknown functionality of the file server.py of the component View Endpoint. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made publiโฆ
5.1
CVE-2026-6592 - ComfyUI userdata Endpoint user_manager.py getuserdata cross site scripting
A vulnerability has been found in ComfyUI up to 0.13.0. Affected by this vulnerability is the function getuserdata of the file app/user_manager.py of the component userdata Endpoint. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosedโฆ
5.3
CVE-2026-6591 - ComfyUI LoadImage Node folder_paths.py folder_paths.get_annotated_filepath path traversal
A flaw has been found in ComfyUI up to 0.13.0. Affected is the function folder_paths.get_annotated_filepath of the file folder_paths.py of the component LoadImage Node. This manipulation of the argument Name causes path traversal. Remote exploitation of the attack is possible. The exploit has been โฆ
5.3
CVE-2026-6590 - ComfyUI Model Preview Endpoint model_manager.py get_model_preview path traversal
A vulnerability was detected in ComfyUI up to 0.13.0. This impacts the function get_model_preview of the file app/model_manager.py of the component Model Preview Endpoint. The manipulation results in path traversal. The attack may be launched remotely. The exploit is now public and may be used. Theโฆ