CVE-2026-45339

Open WebUI (self-hosted offline AI platform) has a vulnerability where endpoint access restrictions on API keys could be bypassed by using the x-api-key header, even when the key was restricted from sensitive endpoints like /api/v1/messages. Prior to version 0.9.0, requests with Authorization: Be...

Open WebUI's API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints

Summary Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-... header are correctly blocked with 403. However, the same key sent via the x-api-key header bypasses the...

PT-2026-37216

Name of the Vulnerable Software and Affected Versions D-Link DI-8100 version 16.07.26A1 Description A buffer overflow occurs in the HTTP Request Handler component when manipulating the Name argument. This issue is located within the tggl asp function of the '/tggl.asp' endpoint and can be trigger...

CVE-2025-62843

An improper restriction of communication channel to intended endpoints vulnerability has been reported to affect QHora. If an attacker gains physical access, they can then exploit the vulnerability to gain the privileges that were intended for the original endpoint. We have already fixed the...

PT-2025-33861 · Unknown · Cicool Builder

Name of the Vulnerable Software and Affected Versions: Cicool builder version 3.4.4 Description: An issue allows attackers to reset the administrator's password. This is achieved via the /administrator/auth/reset password API endpoint. Recommendations: As a temporary workaround, consider...

PT-2025-30418 · Unknown · Deepfiction Ai

Name of the Vulnerable Software and Affected Versions: Deepfiction AI versions prior to June 3, 2025 Description: An Insecure Direct Object Reference IDOR vulnerability exists in Deepfiction AI. This allows attackers to access and utilize other users' credits for interacting with the Large Langua...

PT-2025-28415 · Unknown · Quiter Gateway

Name of the Vulnerable Software and Affected Versions: Quiter Gateway versions prior to 4.7.0 Description: The issue is a Reflected Cross-site Scripting XSS vulnerability that allows an attacker to execute JavaScript code in the victim's browser. This is achieved by sending a malicious URL throug...

PT-2025-28409 · Unknown · Quiter Gateway

Name of the Vulnerable Software and Affected Versions: Quiter Gateway versions prior to 4.7.0 Description: The issue allows an attacker to retrieve, create, update, and delete databases through the id factura field in the "/FacturaE/listado facturas ficha.jsp" endpoint. This enables attackers to...

PT-2025-28407 · Unknown · Quiter Gateway

Name of the Vulnerable Software and Affected Versions: Quiter Gateway versions prior to 4.7.0 Description: The issue allows an attacker to retrieve, create, update, and delete databases through the id concesion parameter in the "/FacturaE/DescargarFactura" endpoint. Recommendations: For versions...

PT-2025-28205 · Wegia · Wegia

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.4.3 Description: A Reflected Cross-Site Scripting XSS issue was identified in the "cadastro dependente pessoa nova.php" endpoint of the WeGIA application. This issue allows attackers to inject malicious scripts in th...

PT-2025-27823

Name of the Vulnerable Software and Affected Versions: BerriAI litellm version 1.65.4 Description: The issue is a SQL injection vulnerability that can be exploited via the "/key/block" endpoint. This allows an attacker to inject malicious SQL code, potentially leading to unauthorized access or...

PT-2025-26995

Name of the Vulnerable Software and Affected Versions: Fanwei E-Office versions = 9.4 Description: An unauthenticated file upload issue exists in the web management interface, affecting the "/general/index/UploadFile.php" endpoint. This endpoint improperly validates uploaded files when invoked wi...

PT-2025-26621 · Unknown +1 · Visionatrix +1

Name of the Vulnerable Software and Affected Versions: Visionatrix versions 1.5.0 through 2.5.0 Description: The issue concerns a Reflected XSS Cross-Site Scripting attack via the "/docs/flows" endpoint, allowing full takeover of the application and exfiltration of secrets stored in the...

PT-2025-25502 · Comfyui · Comfyui

Name of the Vulnerable Software and Affected Versions: comfyanonymous comfyui versions up to 0.3.39 Description: A vulnerability was found in the file /upload/image of the component, allowing for cross-site scripting through the manipulation of the image argument. This issue can be exploited...

PT-2025-24390 · Tenda · Tenda Ac6

Name of the Vulnerable Software and Affected Versions: Tenda AC6 version 15.03.05.16 Description: A critical vulnerability was found in Tenda AC6. This affects the function formSetRebootTimer of the file /goform/SetRebootTimer. The manipulation of the argument rebootTime leads to stack-based buff...

PT-2025-23769 · Ideacms · Ideacms

Name of the Vulnerable Software and Affected Versions: IdeaCMS versions up to 1.7 Description: A critical issue affects the function Article/Goods of the file "/api/v1.index.article/getList.html". The manipulation of the Field argument leads to SQL injection. The attack may be initiated remotely...

PT-2025-23225 · Gradio · Gradio

Name of the Vulnerable Software and Affected Versions: Gradio versions prior to 5.31.0 Description: Gradio is an open-source Python package that allows quick building of demos and web applications for machine learning models, API, or any arbitrary Python function. An arbitrary file copy...

PT-2025-23200 · Zhilink · Zhilink Adp Application Developer Platform

Name of the Vulnerable Software and Affected Versions: Zhilink ADP Application Developer Platform version 1.0.0 Description: A critical issue was found in the Zhilink ADP Application Developer Platform, affecting some unknown functionality of the file /adpweb/wechat/verifyToken/. This issue leads...

PT-2025-22872 · H3C · H3C Seccenter Smp-E1114P02

Name of the Vulnerable Software and Affected Versions: H3C SecCenter SMP-E1114P02 up to 20250513 Description: A vulnerability has been found in the function Download of the file /packetCaptureStrategy/download. The manipulation of the argument Name leads to path traversal. It is possible to launc...

PT-2025-21825 · Totolink · Totolink N300Rt

Name of the Vulnerable Software and Affected Versions: TOTOLINK N300RH version 6.1c.1390 B20191101 Description: A critical vulnerability has been found in the TOTOLINK N300RH router. This issue affects the setUnloadUserData function of the /cgi-bin/cstecgi.cgi file. The manipulation of the plugin...