Cybersecurity & Regolamentazione UE

News & Sicurezza

Aggiornamenti da ENISA, NVD e le principali fonti di cybersecurity europee. Tutto quello che un Responsabile Tecnico deve sapere.

24890 risultati

VulnerabilitàAlta
CVE-2026-56267 - Flowise - PII Disclosure via Unauthenticated Forgot Password Endpoint

CVE ID :CVE-2026-56267 Published : June 20, 2026, 3:24 p.m. | 14 hours, 18 minutes ago Description :Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses. Severity: 6.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56235 - Capgo - Unauthenticated Cross-Tenant Metrics Disclosure via RPC Functions

CVE ID :CVE-2026-56235 Published : June 20, 2026, 3:24 p.m. | 14 hours, 18 minutes ago Description :Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public Supabase API key (sb_publishable_*) can query arbitrary org_id values to disclose cross-tenant usage telemetry (MAU, bandwidth, installs, gets), enumerate app IDs for a target org, and determine org existence via an oracle (valid org returns metrics, invalid returns []). Severity: 6.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56227 - Capgo - Server-Side Request Forgery via Webhook URL Validation

CVE ID :CVE-2026-56227 Published : June 20, 2026, 3:24 p.m. | 12 hours, 18 minutes ago Description :Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, and when triggered, the backend performs outbound requests to these addresses with error responses disclosed to users. Severity: 5.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56228 - Capgo - Denial of Service via Improper Password Policy Length Validation

CVE ID :CVE-2026-56228 Published : June 20, 2026, 3:24 p.m. | 12 hours, 18 minutes ago Description :Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value (e.g., billions of characters) as the minimum password length, making compliance impossible for all organization members. Once the policy is enabled, users (including administrators) are unable to change their passwords or access the organization, resulting in an organization-wide account lockout and application-level denial of service. Severity: 6.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56218 - Capgo - EXIF Metadata Exposure via Image Upload

CVE ID :CVE-2026-56218 Published : June 20, 2026, 3:24 p.m. | 10 hours, 18 minutes ago Description :Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time. Severity: 6.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2025-71331 - Flowise - Cross-Site Scripting in Chat Messages and Agent Workflows

CVE ID :CVE-2025-71331 Published : June 20, 2026, 3:24 p.m. | 10 hours, 18 minutes ago Description :Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., ) in a chat box, or by having a custom agent function return an XSS payload from an external website. The injected script executes in the victim's browser, enabling theft of cookies and session data. Severity: 6.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56325 - Capgo - App ID Confusion via ILIKE Wildcard in Preview Subdomain Lookup

CVE ID :CVE-2026-56325 Published : June 20, 2026, 3:21 p.m. | 8 hours, 21 minutes ago Description :Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver, allowing underscore characters in app_id to act as SQL wildcards. Attackers can create apps with app_ids differing by one character at underscore positions to cause unintended pattern matches, breaking preview functionality for legitimate apps or causing app-id confusion. Severity: 3.1 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56317 - Nuxt - Cross-Site Scripting via NoScript Component Slot Content

CVE ID :CVE-2026-56317 Published : June 20, 2026, 3:21 p.m. | 4 hours, 21 minutes ago Description :Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags. Severity: 2.3 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2024-58351 - Flowise - Remote Code Execution via overrideConfig Parameter

CVE ID :CVE-2024-58351 Published : June 20, 2026, 3:21 p.m. | 2 hours, 21 minutes ago Description :Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted variables and relies on vm2 for sandboxing, an attacker can abuse it to achieve remote code execution and sandbox escape, denial of service by crashing the server, server-side request forgery, prompt injection, and server variable and data exfiltration. These issues are self-targeted and do not persist to other users. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàCritica
CVE-2022-50972 (CVSS 9.8)

WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root.

NVD (NIST)20 giu 2026
VulnerabilitàAlta
CVE-2020-37255 (CVSS 7.5)

WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.

NVD (NIST)20 giu 2026
VulnerabilitàCritica
CVE-2019-25763 (CVSS 9.8)

WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form functionality. Attackers can submit a POST request to the admin-ajax.php endpoint with the uabb-lf-google-submit action, a valid administrator email address, and a valid nonce to obtain session cookies and authenticate as that user.

NVD (NIST)20 giu 2026

Pagina 182 di 2075

Resta aggiornato sulla cybersecurity

Iscriviti a CodersRegistry per ricevere gli aggiornamenti più importanti su regolamentazione EU e vulnerabilità critiche.