Lucene search
K

9860 matches found

EUVD
EUVD
β€’added 2026/05/18 3:0 a.m.β€’17 views

EUVD-2026-30730

A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is...

6.5CVSS6.2AI score0.00269EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
β€’added 2026/05/18 3:0 a.m.β€’10 views

CVE-2026-8786

A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is...

6.5CVSS5.4AI score0.00269EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
β€’added 2026/05/18 3:0 a.m.β€’57 views

CVE-2026-8786 Tencent WeKnora Config API Endpoint initialization.go getKnowledgeBaseForInitialization authorization

A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is...

6.5CVSS0.00269EPSS
Exploits1References4
Positive Technologies
Positive Technologies
β€’added 2026/05/18 12:0 a.m.β€’15 views

PT-2026-41634

A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is...

6.5CVSS6.2AI score0.00269EPSS
Exploits1References5
GithubExploit
GithubExploit
β€’added 2026/05/16 2:53 p.m.β€’78 views

Operation-Molasses

🍯 OPERATION MOLASSES PEKMEZ Zencefil Efendi's Cyber Dow...

6AI score
Exploits0
NVD
NVD
β€’added 2026/05/15 9:16 p.m.β€’32 views

CVE-2026-45402

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the...

8.1CVSS0.00346EPSS
Exploits1References1
NVD
NVD
β€’added 2026/05/15 9:16 p.m.β€’17 views

CVE-2026-45398

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, validatecollectionaccess checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any...

7.5CVSS0.00331EPSS
Exploits1References3
EUVD
EUVD
β€’added 2026/05/15 8:40 p.m.β€’13 views

EUVD-2026-30637

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the...

8.1CVSS5.8AI score0.00346EPSS
Exploits1References1
Cvelist
Cvelist
β€’added 2026/05/15 8:40 p.m.β€’54 views

CVE-2026-45402 Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the...

8.1CVSS0.00346EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
β€’added 2026/05/15 8:40 p.m.β€’9 views

CVE-2026-45402

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the...

8.1CVSS5.8AI score0.00346EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
β€’added 2026/05/15 8:35 p.m.β€’37 views

CVE-2026-45398 Open WebUI: IDOR - Retrieval API Bypasses Knowledge Base Access Controls

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, validatecollectionaccess checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any...

7.5CVSS0.00331EPSS
Exploits1References3
Vulnrichment
Vulnrichment
β€’added 2026/05/15 8:35 p.m.β€’11 views

CVE-2026-45398 Open WebUI: IDOR - Retrieval API Bypasses Knowledge Base Access Controls

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, validatecollectionaccess checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any...

7.5CVSS5.8AI score0.00331EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
β€’added 2026/05/15 8:35 p.m.β€’9 views

CVE-2026-45398

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, validatecollectionaccess checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any...

7.5CVSS5.8AI score0.00331EPSS
Exploits1References4Affected Software1
EUVD
EUVD
β€’added 2026/05/15 8:35 p.m.β€’16 views

EUVD-2026-30634

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, validatecollectionaccess checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any...

7.5CVSS5.8AI score0.00331EPSS
Exploits1References3
NVD
NVD
β€’added 2026/05/15 8:16 p.m.β€’29 views

CVE-2026-45671

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile...

8CVSS0.0027EPSS
Exploits1References1
Cvelist
Cvelist
β€’added 2026/05/15 7:49 p.m.β€’50 views

CVE-2026-44554 Open WebUI: Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collectionname and an overwrite query parameter default: True. It performs no authorization check on whether t...

8.1CVSS0.00295EPSS
Exploits1References1
Vulnrichment
Vulnrichment
β€’added 2026/05/15 7:49 p.m.β€’9 views

CVE-2026-44554 Open WebUI: Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collectionname and an overwrite query parameter default: True. It performs no authorization check on whether t...

8.1CVSS5.8AI score0.00295EPSS
Exploits1References1
CVE
CVE
β€’added 2026/05/15 7:49 p.m.β€’33 views

CVE-2026-44554

Open WebUI (self-hosted AI) vulnerability: the POST /api/v1/retrieval/process/web endpoint accepts a user-controlled collection_name with overwrite defaulting to True, and performs no authorization check to verify write access. When overwrite is True, save_docs_to_vector_db calls VECTOR_DB_CLIENT...

8.1CVSS5.8AI score0.00295EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
β€’added 2026/05/15 7:40 p.m.β€’8 views

CVE-2026-44560 Open WebUI: Unauthorized File and Knowledge Base Content Access via RAG Vector Search

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the type: "file" non-full-context, type: "text" with collectionname, and bare collectionname/collectionnames paths in the getsourcesfromitems function perform vector store queries...

6.5CVSS5.8AI score0.00366EPSS
Exploits1References1
Cvelist
Cvelist
β€’added 2026/05/15 7:40 p.m.β€’42 views

CVE-2026-44560 Open WebUI: Unauthorized File and Knowledge Base Content Access via RAG Vector Search

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the type: "file" non-full-context, type: "text" with collectionname, and bare collectionname/collectionnames paths in the getsourcesfromitems function perform vector store queries...

6.5CVSS0.00366EPSS
Exploits1References1
Rows per page
Query Builder