CVE-2026-53470

CVE-2026-53470 affects migration-planner. An authenticated attacker can exploit an improper access control on /api/v1/sources/{id}/image-url to bypass ownership checks and obtain presigned S3 URLs for other users’ Open Virtual Appliance (OVA) images, potentially downloading images containing long...

CVE-2025-66171

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the...

CVE-2026-45267

Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been patched in version 5.2.6...

CVE-2026-40937

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any...

Termix 安全漏洞

Termix is a server management platform developed by Karmaa’s individual developers. Versions of Termix prior to 2.3.2 contained security vulnerabilities. These vulnerabilities stemmed from improper validation of the sessionId parameter by the file manager’s functionality. The identifier controlle...

EUVD-2025-210009

In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2025-22426

In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2025-22426

CVE-2025-22426 involves a logic error in ComputerEngine.java that can allow cross-user access to URIs, enabling local privilege escalation without user interaction. Exploitation details and affected product/version specifics are not provided in the documents; remediation/patch details are not exp...

CVE-2025-22426

In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2025-22426

In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2025-22424

In multiple locations, there is a possible way to reveal images across users due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation...

CVE-2026-9712

When creating an export through the pretix API, API clients are returned an UUID value for their export job a long, random string like 35742818-c375-4d15-839f-d49aecce94d6. Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places...

MLflow 安全漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A security vulnerability exists in MLflow 3.10.1.dev0 and prior versions, which stems from the...

CVE-2026-45345

Open WebUI (self-hosted AI platform) has a vulnerability in the model update function prior to version 0.5.7 where an attacker could modify another user’s private model by changing access permissions during editing. The issue is confirmed in multiple sources (CVE-2026-45345, GHSA-gm54-m39w-grjp, ...

CVE-2026-45402 Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the...

CVE-2026-45402

Open WebUI CVE-2026-45402 describes a cross-user file access/overwrite vulnerability in offline Open WebUI prior to 0.9.5. Two concrete paths allow attaching a victim’s file_id without verifying ownership: (1) folder knowledge ingestion via POST /api/v1/folders/{id}/update and (2) knowledge-base ...

GHSA-R472-MW7M-967F Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Cross-User File Access via Unchecked fileid in Folder Knowledge and Knowledge-Base Attach Endpoints Summary Multiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the caller...

Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Cross-User File Access via Unchecked fileid in Folder Knowledge and Knowledge-Base Attach Endpoints Summary Multiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the caller...

GHSA-GM54-M39W-GRJP Open WebUI missing authorization check at the model update function - models from other users can be updated

Summary A user can modify another user's model even if its visibility is set to Private. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here...

GHSA-RMP5-5JJ7-GMVF MantisBT has an authorization bypass that allows reading attachments after losing access to a private issue

MantisBT permits a user to list and download their own attachments from an Issue created by another user, even after that Issue becomes private and direct access to it is denied. Impact The loss of confidentiality caused by this vulnerability is minimal, considering that only the attachments that...