Lucene search
K

305 matches found

CVE
CVE
added 2026/05/18 8:9 a.m.20 views

CVE-2026-3117

Mattermost plugins contain a permission-check flaw in the GitLab plugin command processing. Versions affected: Mattermost Plugins

6.5CVSS5.8AI score0.00228EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/15 9:9 p.m.8 views

CVE-2026-45351 Open WebUI: Exposure of System Prompt to Regular User [Non-Admin]

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user non-admin logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of...

6.5CVSS5.8AI score0.00281EPSS
Exploits1References1
NVD
NVD
added 2026/05/15 8:16 p.m.18 views

CVE-2026-44558

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filterallowedaccessgrants on either create or update paths. A non-admin user who can create group channels or who owns a channel can submit arbitrary...

5.4CVSS0.0019EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/15 7:43 p.m.40 views

CVE-2026-44558 Open WebUI: Channel Access Grants Bypass filter_allowed_access_grants

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filterallowedaccessgrants on either create or update paths. A non-admin user who can create group channels or who owns a channel can submit arbitrary...

5.4CVSS0.0019EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/14 6:46 p.m.33 views

CVE-2026-8621 Crabbox < v0.12.0 Authentication Bypass via Header Spoofing

Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a...

8.8CVSS0.00361EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/14 4:33 p.m.12 views

Missing Authorization

Overview github.com/portainer/portainer/api/http/proxy/factory/docker is a management UI which allows to manage different Docker environments. Affected versions of this package are vulnerable to Missing Authorization in the enforcement of endpoint security restrictions for non-admin users on Dock...

9.9CVSS5.7AI score0.00347EPSS
Exploits1References2
OSV
OSV
added 2026/05/14 4:33 p.m.6 views

GHSA-5FXQ-QCF3-244W Portainer has an endpoint security bypass via Swarm service create/update

Summary Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt Seccomp / AppArmor, and bind mounts. T...

9.4CVSS5.8AI score0.00347EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/05/14 4:33 p.m.11 views

Portainer has an endpoint security bypass via Swarm service create/update

Summary Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt Seccomp / AppArmor, and bind mounts. T...

9.4CVSS5.8AI score0.00347EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2026/05/12 8:0 a.m.5 views

SUSE-SU-2026:1821-1 Security update for NetworkManager

This update for NetworkManager fixes the following issue: - CVE-2025-9615: Fixed non-admin user using others' certificates bsc1257359...

3.3CVSS5.8AI score0.00162EPSS
Exploits0References3
PyPA
PyPA
added 2026/05/11 6:16 p.m.27 views

PYSEC-2026-126

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general",...

6.8CVSS5.8AI score0.00174EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/11 4:32 p.m.6 views

CVE-2026-42312 pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general",...

6.8CVSS5.8AI score0.00174EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.10 views

PT-2026-39672

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.19 Description Inconsistent authorization controls in the memories API allow a standard non-admin user to view, delete, and restore memories belonging to other users. A user can view existing memories using the...

8.3CVSS5.8AI score0.00294EPSS
Exploits1References6
ATTACKERKB
ATTACKERKB
added 2026/05/07 2:59 a.m.10 views

CVE-2026-41660

Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A...

7.1CVSS5.7AI score0.00297EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/05/07 2:59 a.m.12 views

EUVD-2026-28272

Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A...

7.1CVSS5.7AI score0.00297EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/04 10:8 p.m.8 views

pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)

Summary The setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The allowlist contains "proxy", "username" and "proxy", "password" — which protect the proxy credentials — but i...

8.3CVSS6AI score0.00396EPSS
Exploits1References8Affected Software1
OSV
OSV
added 2026/05/04 10:8 p.m.4 views

GHSA-PG67-9WJV-MR85 pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)

Summary The setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The allowlist contains "proxy", "username" and "proxy", "password" — which protect the proxy credentials — but i...

8.3CVSS6AI score0.00396EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2026/05/04 12:0 a.m.16 views

PT-2026-37051

CVE-2026-42313 pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set config value API method @permissionPerms.SETTINGS in src/p… https://t.co/8rZNAbQm5s...

8.3CVSS5.8AI score0.00396EPSS
Exploits1References11
CVE
CVE
added 2026/04/23 9:57 p.m.9 views

CVE-2026-41339

OpenClaw vulnerability CVE-2026-41339 affects OpenClaw prior to 2026.4.2. The issue is an information disclosure via Gateway connect snapshots, where configPath and stateDir metadata are exposed to non-admin authenticated clients. This allows recovery of host-specific filesystem paths and deploym...

5.3CVSS5.8AI score0.00283EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.6 views

PT-2026-34559

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-alpha.94 Description Four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check permissions helper that validates authentication but fails to perform admin-action authorization...

8.3CVSS5.2AI score0.00293EPSS
Exploits0References8
CNNVD
CNNVD
added 2026/04/17 12:0 a.m.11 views

zrok 安全漏洞

Zrok is a secure internet sharing tool developed by OpenZiti. Versions of Zrok prior to 2.0.1 contained security vulnerabilities. These vulnerabilities stemmed from logical errors in the unaccess processor, which could allow non-administrator users to delete the global frontend...

5.3CVSS5.8AI score0.00286EPSS
Exploits0References1
Rows per page
Query Builder