5 matches found
CVE-2025-71385
Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...
CVE-2026-41522 Iris has an Improper Authorization issue
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to version 2.4.28, DFIR-IRIS exposes an optional GraphQL endpoint at /graphql that does not enforce the same authorization checks as the REST API. Any authenticated user can...
PT-2026-41200
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.0 Description The endpoint "/api/v1/memories/ef" is accessible without authentication and executes the function request.app.state.EMBEDDING FUNCTION. This allows unauthenticated users to trigger embedding...
Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy
Summary The Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments,...
GHSA-2RGP-F66F-4499 Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy
Summary The Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments,...