CVE-2026-45671

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile...

Malicious code in @antv/g-base (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

PT-2026-42035

Summary pymdownx.snippets has a regression of the CVE-2023-32309 / GHSA-jh85-wwv9-24hv fix. With restrict base path: True the default, the current filename.startswithbase containment check does not enforce a directory boundary. As a result, a markdown snippet directive can read files from sibling...

PT-2026-42041

Name of the Vulnerable Software and Affected Versions SillyTavern versions prior to 1.18.0 Description SillyTavern is a locally installed user interface for interacting with large language models, image generation engines, and text-to-speech models. The application contains a Server-Side Request...

Security Bulletin: NVIDIA DGX Spark - May 2026

NVIDIA has released a software update for NVIDIA® DGX Spark. To protect your system, download and install the latest version of NVIDIA DGX OS from the NVIDIA DGX site. Go to NVIDIA Product Security. Details The following table summarizes the potential vulnerabilities that this security update...

RHEL 10 : gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free (RHSA-2026:19024)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:19024 advisory. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package...

ALSA-2026:19024 Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free security update

GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fixes: GStreamer: GStreamer: Arbitrary code execution via ASF file processing CVE-2026-2920 GStreamer:...

ALSA-2026:19180 Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free security update

GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fixes: GStreamer: GStreamer: Arbitrary code execution via ASF file processing CVE-2026-2920 GStreamer:...

Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free security update

GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fixes: GStreamer: GStreamer: Arbitrary code execution via ASF file processing CVE-2026-2920 GStreamer:...

RHEL 9 : gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free (RHSA-2026:19180)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:19180 advisory. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package...

MAL-2026-3909 Malicious code in @antv/g-base (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

@antv/g-base (=0.5.13), @yogeshcl/g6-react-ba (=0.0.6) potentially affected by unknown CVE via @antv/d3-interpolate (=1.0.3)

@antv/d3-interpolate NPM version =1.0.3 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/d3-interpolate and may be impacted: - @antv/g-base =0.5.13 - @yogeshcl/g6-react-ba =0.0.6 Source cves: unknown CVE Source advisory:...

@antv/d3-interpolate (>=1.0.2 <=1.0.3), @antv/g-base (=0.5.13) +1 more potentially affected by unknown CVE via @antv/d3-color (=1.0.0)

@antv/d3-color NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/d3-color and may be impacted: - @antv/d3-interpolate =1.0.2, =1.0.3 - @antv/g-base =0.5.13 - @yogeshcl/g6-react-ba =0.0.6 Source cves: unknown CVE Source advisory:...

1g6table (=0.1.0), 7qb (=0.0.17) +1309 more potentially affected by unknown CVE via @antv/g-base (>=0.1.1 <=0.5.6)

@antv/g-base NPM version =0.1.1, =1.1.0, =0.1.1, =0.1.1, =0.1.0, =0.0.2, =0.1.2, =0.9.1, =1.0.0, =0.2.0, =1.1.15, =1.0.4, =2.1.0 and more Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGBASE-16754962...

1g6table (=0.1.0), 7qb (=0.0.17) +1309 more potentially affected by unknown CVE via @antv/g-base (>=0.1.1 <=0.5.6)

@antv/g-base NPM version =0.1.1, =1.1.0, =0.1.1, =0.1.1, =0.1.0, =0.0.2, =0.1.2, =0.9.1, =1.0.0, =0.2.0, =1.1.15, =1.0.4, =2.1.0 and more Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGBASE-16754795...

CVE-2026-45398

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, validatecollectionaccess checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any...

Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping

Summary Faraday::Connectionbuildexclusiveurl still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to ...

GHSA-5RV5-XJ5J-3484 Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping

Summary Faraday::Connectionbuildexclusiveurl still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to ...