39 matches found
K000161327: NGINX UI vulnerability CVE-2026-33032
Security Advisory Description Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP Model Context Protocol integration exposes two HTTP endpoints: /mcp and /mcpmessage. While /mcp requires both IP whitelisting and authentication AuthRequired...
GHSA-WWHQ-CX22-F7VV Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint
Summary An IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members including administrators within the same channel. This vulnerability affects the latest version v0.8.12 of Open WebUI. Details In the updatemessagebyid...
Missing Authorization
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization in the updatemessagebyid and deletemessagebyid endpoints due to missing ownership validation for messages. An attacker can alter or remove messages belonging to other users by sending...
Rocket.Chat: IDOR: autotranslate.translateMessage Full Message Content Leak
The /api/v1/autotranslate.translateMessage endpoint allowed any authenticated user to retrieve the full content of any message from any room, including private groups, direct messages, and channels. The endpoint fetched the message without performing a room access check, returning the complete...
Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild. The vulnerability in question is CVE-2026-33032 CVSS score: 9.8, an authentication bypass vulnerability that enables threat actors to...
EUVD-2026-17773
A security flaw has been discovered in z-9527 admin 1.0/2.0. Affected is an unknown function of the file /server/routes/message.js of the component Message Create Endpoint. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been releas...
PT-2026-29447
A security flaw has been discovered in z-9527 admin 1.0/2.0. Affected is an unknown function of the file /server/routes/message.js of the component Message Create Endpoint. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been releas...
CVE-2026-33032
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP Model Context Protocol integration exposes two HTTP endpoints: /mcp and /mcpmessage. While /mcp requires both IP whitelisting and authentication AuthRequired middleware, the /mcpmessage endpoi...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the mcpmessage endpoint due to missing authentication checks and an empty default IP whitelist, which is treated as allowing all connections. An attacker can gain full control over the Ngi...
EUVD-2026-16150
Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'visitor' in '/api/v1/webchat/message'...
Inadequate Encryption Strength
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Inadequate Encryption Strength due to the use of weak cryptographic key generation in the createKeys function. An attacker can gain unauthorized access to protecte...
Missing Authentication for Critical Function
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the decryptMessage.json.php endpoint, which processes user-supplied private keys, encrypted messages, and...
EUVD-2025-44061
The sendmessage.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery CSRF. The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page tha...
CVE-2025-63710
The sendmessage.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery CSRF. The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page tha...
SourceCodester Simple Public Chat Room 安全漏洞
SourceCodester Simple Public Chat Room is a simple public chat room in SourceCodester open source. A security vulnerability exists in SourceCodester Simple Public Chat Room version 1.0, which stems from the sendmessage.php endpoint that does not implement a CSRF protection mechanism, which could...
CVE-2025-63710
The CVE-2025-63710 entry concerns SourceCodester Simple Public Chat Room 1.0. The send_message.php endpoint is vulnerable to Cross-Site Request Forgery (CSRF) because there are no CSRF protections (tokens, nonces, or same-site cookies). An attacker could lure an authenticated user to a malicious ...
PT-2025-46161
Name of the Vulnerable Software and Affected Versions SourceCodester Simple Public Chat Room version 1.0 Description The application lacks CSRF-protection mechanisms like tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page that, when visited by an...
CVE-2025-63710
The sendmessage.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery CSRF. The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page tha...
CVE-2025-63710
The sendmessage.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery CSRF. The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page tha...
EUVD-2019-18494
Malware in sbrugna...