NVD disclosure day
CVE-2026-46442
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A vulnerability in Flowise, a tool for building large language model flows, allows authenticated users to execute arbitrary JavaScript code, potentially leading to system command execution on the server. This could enable unauthorized control of the Flowise host environment.
CVE-2026-46440
Halo Surface Signal: 4 out of 5 — likely to be public-facing.
A critical vulnerability exists in Flowise's authentication endpoint, allowing plaintext credential validation without rate limiting. This could enable unauthorized access to the application, potentially compromising custom large language model flows. Organizations should verify the relevance and exposure of their Flow
CVE-2026-44631
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
A buffer underwrite vulnerability exists in Apache HTTP Server when processing crafted regular expressions in its configuration. This could potentially allow an unauthenticated attacker to impact server integrity and availability by overwriting memory, leading to unexpected behavior or system compromise. It is recommen
CVE-2026-50751
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
A logic flow weakness in certificate validation within a deprecated VPN protocol allows unauthenticated remote attackers to bypass user authentication and establish unauthorized VPN connections without a password. The relevance of this vulnerability depends on the use of this specific deprecated protocol for remote or