CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Snyk•added 2026/05/14 8:28 p.m.•7 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization via the /api/v1/memories/ef endpoint. An attacker can trigger embedding generation and consume computational resources or incur costs by making unauthenticated requests to this endpoint...

6.9CVSS5.8AI score0.00341EPSS

Github Security Blog•added 2026/05/14 8:28 p.m.•8 views

Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)

Summary GET /api/v1/memories/ef is accessible without authentication and executes request.app.state.EMBEDDINGFUNCTION.... This allows any unauthenticated caller to trigger embedding generation which can lead to direct cost exposure if a paid provider is used. Code reference:...

6.5CVSS5.8AI score0.00341EPSS

Exploits1References5Affected Software1

EUVD•added 2026/05/12 6:30 p.m.•8 views

EUVD-2026-29568

The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...

6AI score0.00335EPSS

EUVD•added 2026/05/12 6:30 p.m.•9 views

EUVD-2026-29566

The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset and table re-creation functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a CREATE...

6AI score0.00374EPSS

EUVD•added 2026/05/12 6:30 p.m.•6 views

EUVD-2026-29565

The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE SQL statement. Th...

6AI score0.00489EPSS

Cvelist•added 2026/05/12 12:0 a.m.•30 views

CVE-2026-31242

0.00489EPSS

Cvelist•added 2026/05/12 12:0 a.m.•29 views

CVE-2026-31245

0.00335EPSS

ATTACKERKB•added 2026/05/12 12:0 a.m.•5 views

CVE-2026-31243

6AI score0.00374EPSS

Positive Technologies•added 2026/05/12 12:0 a.m.•8 views

PT-2026-40320

6AI score0.00374EPSS

EUVD•added 2025/10/31 12:30 a.m.•5 views

EUVD-2025-37228

LibreChat version 0.7.9 is vulnerable to a Denial of Service DoS attack due to unbounded parameter values in the /api/memories endpoint. The key and value parameters accept arbitrarily large inputs without proper validation, leading to a null pointer error in the Rust-based backend when excessive...

5.4CVSS6.3AI score0.0028EPSS

Exploits1References3

OSV•added 2025/10/31 12:15 a.m.•4 views

CVE-2025-8849

7.5CVSS6.9AI score

NVD•added 2025/10/31 12:15 a.m.•8 views

CVE-2025-8849

7.5CVSS0.0028EPSS

CNNVD•added 2025/10/31 12:0 a.m.•3 views

LibreChat 资源管理错误漏洞

LibreChat is an enhanced ChatGPT clone by Danny Avila Personal Developer. A resource management error vulnerability exists in LibreChat version 0.7.9, which stems from the /api/memories endpoint not limiting the size of parameter values, which could lead to a denial of service attack...

7.5CVSS5.3AI score0.0028EPSS

Exploits1References3

Cvelist•added 2025/10/30 11:42 p.m.•8 views

CVE-2025-8849 Denial of Service in danny-avila/librechat

5.4CVSS0.0028EPSS

Vulnrichment•added 2025/10/30 11:42 p.m.•4 views

CVE-2025-8849 Denial of Service in danny-avila/librechat

5.4CVSS6.5AI score0.0028EPSS