Published threat advisories for April 23, 2026

Flowise versions before 3.1.0 have a critical flaw allowing attackers to steal or alter data stored in your Neo4j database by injecting malicious commands. Update immediately to protect your sensitive information.

NVD published: April 23, 2026

A critical flaw in Microsoft Entra ID lets attackers impersonate network traffic, potentially exposing sensitive data. This vulnerability is easily exploitable over the internet without any authentication.

NVD published: April 23, 2026

A critical flaw in Microsoft Bing lets anyone remotely run their own code, potentially taking control of the service.

NVD published: April 23, 2026

An M365 Copilot flaw can send users to fake websites, potentially letting attackers gain unauthorized control. This is critical because it exposes user accounts and sensitive data across your network.

NVD published: April 23, 2026

A flaw in KTransformers allows an external attacker to gain remote control of the host server. This could lead to the theft of proprietary machine learning models and provide the attacker with access to the broader internal network.

NVD published: April 23, 2026

A critical flaw in Microsoft Purview lets attackers take control of the service and access sensitive data remotely without needing any access first.

NVD published: April 23, 2026

An internal attacker can exploit a flaw in Microsoft Partner Center to gain unauthorized administrative access. This access could allow them to manipulate customer subscriptions or export sensitive data, putting managed client environments at risk.

NVD published: April 23, 2026

An external attacker can exploit a flaw in radare2-mcp to remotely execute unauthorized commands on your system. This could allow them to gain full control of the host, leading to potential data theft or further compromise of your network.

NVD published: April 23, 2026

An external attacker can exploit a flaw in Flowise to gain full control of the server without needing a login. This could allow them to steal sensitive data and potentially access other areas of our network.

NVD published: April 23, 2026

Attackers can exploit Flowise Cloud's account registration to inject data, potentially taking over accounts and disrupting services. Update to version 3.1.0 or later immediately.

NVD published: April 23, 2026

Flowise can be tricked into running harmful commands on your server through a flaw in how it handles AI-generated code, potentially allowing unauthorized access.

NVD published: April 23, 2026

An unauthenticated attacker can control Flowise systems by tricking the AI into running malicious code through chat prompts, potentially compromising server functions and sensitive data. This critical flaw is fixed in version 3.1.0.

NVD published: April 23, 2026

A security flaw in Flowise allows an external attacker to take full control of the server, potentially exposing sensitive business data. This could lead to the theft of confidential information and the total compromise of your underlying infrastructure.

NVD published: April 23, 2026

An external attacker can use LeRobot to run unauthorized code on your servers or robots. This allows them to hijack these devices, resulting in a complete loss of control over your critical systems.

NVD published: April 23, 2026

A critical flaw in the Intrado 911 Emergency Gateway lets anyone read sensitive files, potentially impacting emergency communications.

NVD published: April 23, 2026

A critical flaw in Google Chrome's graphics processing could allow attackers to break out of the browser's security protections by tricking you into opening a malicious video file. This could give them unauthorized access to your computer.

NVD published: April 23, 2026

An external attacker could exploit a flaw in Google Chrome on Android by tricking a user into visiting a malicious website. This allows them to bypass security protections, potentially leading to full device control and unauthorized access to sensitive user information.

NVD published: April 23, 2026

An external attacker could exploit a security weakness in Google Chrome by luring users to a malicious website. This allows the attacker to gain full control of the machine and potentially steal sensitive business data.

NVD published: April 23, 2026

An internal attacker with local access to the Linux kernel can exploit a flaw in network encryption to corrupt system memory. This could result in a system crash or allow the attacker to gain unauthorized control over core processes, compromising system stability.

NVD published: April 23, 2026

An urgent security flaw in Totolink routers lets anyone remotely take control and run unauthorized commands, potentially exposing your network.

NVD published: April 23, 2026

TotoLink routers have a critical flaw allowing attackers to run commands remotely, potentially taking full control of your network. This affects internet-facing devices and warrants immediate attention.

NVD published: April 23, 2026

A serious flaw in ToToLink A3300R routers lets attackers take complete control by sending a web request, potentially impacting internet-facing devices.

NVD published: April 23, 2026

Attackers can take control of ToToLink A3300R routers remotely, potentially disrupting service or accessing sensitive information, as they can execute unauthorized commands without needing a password.

NVD published: April 23, 2026

The hackage-server component allows for the rendering of user-supplied metadata without proper sanitization. This can lead to stored cross-site scripting attacks, potentially impacting users and causing data compromise or service disruption. The business risk involves unauthorized actions or data exposure through malic

NVD published: April 23, 2026

Malicious websites can hijack your browser to upload fake code or create accounts on the Hackage package server, potentially compromising your software supply chain. This affects an internet-facing platform used for public software distribution.

NVD published: April 23, 2026

A critical vulnerability in Hackage's main site allows attackers to hijack user accounts, enabling them to change package details or upload malicious content. This affects authenticated users browsing package pages.

NVD published: April 23, 2026

ntfy versions before 2.22.0 have a critical flaw allowing unauthorized access to your servers and sensitive files. Update now to prevent this.

NVD published: April 23, 2026

A flaw in the X.Org X server's request validation may allow a local attacker to access memory out of bounds. This could expose sensitive information or cause a service disruption. In certain configurations, the impact may be greater.

NVD published: April 23, 2026

A use-after-free vulnerability exists in the X.Org X server's XSYNC fence triggering logic. Attackers with local access can exploit this without user interaction, potentially causing a server crash or memory corruption. This could lead to a denial of service or further system compromise, impacting system availability a

NVD published: April 23, 2026

An external attacker can exploit an unprotected connection in Tungsten Capture to remotely read or modify files without needing to log in. This exposes the business to unauthorized data theft and allows the attacker to take full control of the server, potentially compromising enterprise document processing.

NVD published: April 23, 2026

An external attacker can exploit a flaw in Pipecat to gain full administrative control over the server. This access allows them to run unauthorized commands, potentially resulting in data theft and total system compromise.

NVD published: April 23, 2026

Jizhicms v2.5.4 has a critical flaw allowing attackers to steal sensitive data and take control of your website without needing any login. This issue is internet-exposed and a high priority.

NVD published: April 23, 2026

A critical flaw in SocialEngine lets attackers steal data or take over admin accounts without needing a password. This affects versions prior to 7.8.0 and needs immediate attention.

NVD published: April 23, 2026

A serious flaw in FunnelFormsPro allows attackers to run malicious code on your website, potentially leading to unauthorized control and data compromise. This issue is urgent due to its internet-facing nature.

NVD published: April 23, 2026

Borg SPM 2007 contains a security weakness that allows an external attacker to remotely read, modify, or delete sensitive database information. This could lead to the loss of critical business data or unauthorized manipulation of company records.

NVD published: April 23, 2026

An external attacker can exploit a flaw in Borg SPM 2007 to bypass login controls and access the system as any user. This risks unauthorized administrative control and the potential theft of sensitive business data.

NVD published: April 23, 2026

A critical flaw in Borg SPM 2007 allows unauthenticated attackers to upload malicious code and take control of your server. This issue demands immediate attention as it enables remote code execution without any login required.

NVD published: April 23, 2026

An unauthenticated flaw in H2O-3's import feature lets attackers run any code on your server, potentially stealing data or causing outages. Upgrade immediately to prevent this critical risk.

NVD published: April 23, 2026

Froxlor server software has a critical flaw allowing attackers with admin access to run any code they want on your server, impacting all users and data. Update to version 2.3.6 immediately.

NVD published: April 23, 2026

Froxlor server software has a critical flaw allowing authenticated users to run any code on your server by exploiting a language setting. Upgrade to version 2.3.6 immediately to prevent unauthorized code execution.

NVD published: April 23, 2026

An external attacker could exploit a flaw in the Breeze Cache for WordPress plugin to upload malicious files, provided the "Host Files Locally" feature is enabled. This could lead to a full takeover of the web server, risking sensitive customer data and site availability.

NVD published: April 23, 2026

A critical flaw in Paperclip, a tool for managing AI agents, allows attackers to gain full control of any internet-connected system without needing a password or any special access. This means your business operations could be compromised remotely.

NVD published: April 23, 2026

Noir contains a memory flaw that could allow an internal attacker to corrupt system memory during program compilation. This could enable unauthorized changes to sensitive proof data or the bypass of critical program logic, threatening the integrity of business applications.

NVD published: April 23, 2026

Luanti allows an internal attacker to execute unauthorized code on the host device by bypassing security restrictions. This vulnerability could lead to full system compromise, resulting in the exposure or modification of sensitive files and data.

NVD published: April 23, 2026

IBM Total Storage Service Console and TS4500 IMC have a critical flaw allowing anyone to run commands on your system remotely, potentially leading to unauthorized control.

NVD published: April 23, 2026

An external attacker can manipulate the Rclone tool to run unauthorized commands on the host server. This could allow the attacker to take full control of the system, putting your data and business operations at risk.

NVD published: April 23, 2026

An external attacker can access the Rclone remote control service to disable its security protections without authorization. This allows them to hijack sensitive administrative functions, potentially leading to unauthorized access to your cloud storage data or disruption of critical file synchronization processes.

NVD published: April 23, 2026

Rocket.Chat versions before 8.3.0 have a critical flaw allowing account takeover through OAuth configuration. This impacts internet-facing systems and needs immediate attention to protect your communication platform.

NVD published: April 23, 2026