6.5
CVE-2026-5025 - Langflow - Application Logs Exposed to All Authenticated Users
The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser').
5.1
CVE-2026-5010 - Reflected Cross-Site Scripting (XSS) in Sanomaβs Clickedu
A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victimβs browser by sending them a malicious URL using the endpoint β/user.php/β. This vulnerability can be exploited to steal sensitive userβ¦
6.3
CVE-2026-5022 - Langflow - Missing Authorization on download_image Endpoint
The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name.
5.3
CVE-2026-33766 - AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints
WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL()` validates URLs against private/reserved IP ranges before fetching, but `url_get_contents()` follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection β¦
4.3
CVE-2026-33764 - AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video. An authenticated usβ¦
6.5
CVE-2026-27879 - Query resampling can cause unbounded memory allocations
A resample query can be used to trigger out-of-memory crashes in Grafana.
6.5
CVE-2026-28375 - Grafana Testdata datasource can issue unbounded memory allocations
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
5.3
CVE-2026-33763 - AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oβ¦
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect`β¦
9.1
CVE-2026-27876 - RCE on Grafana via sqlExpressions
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlEβ¦
5.3
CVE-2026-33761 - AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, β¦
WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmβ¦