105 matches found
CVE-2026-42276
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/chatsessionid endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the caller. An...
CVE-2026-42277
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/fileid endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the file...
CVE-2026-42277
Onyx (open‑source AI platform) contains an IDOR in the GET /chat/file/{file_id} endpoint. Before versions 3.0.9, 3.1.6, and 3.2.6, any authenticated user could download another user’s uploaded files by supplying the file’s UUID, because authentication is checked but ownership is not. The vulnerab...
CVE-2026-42277 Onyx: IDOR in /chat/file/{file_id} allows any authenticated user to download other users files
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/fileid endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the file...
CVE-2026-42277 Onyx: IDOR in /chat/file/{file_id} allows any authenticated user to download other users files
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/fileid endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the file...
CVE-2026-42276 Onyx: IDOR in /chat/stop-chat-session allows any authenticated user to interrupt other users chat sessions
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/chatsessionid endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the caller. An...
CVE-2026-42276
Onyx has an IDOR vulnerability in POST /chat/stop-chat-session/{chat_session_id}. Authenticated users can stop other users’ active chat sessions because the endpoint authenticates the caller but does not verify that the session belongs to them. An attacker knowing a chat_session_id can interrupt ...
EUVD-2026-28524
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/chatsessionid endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the caller. An...
CVE-2026-42276 Onyx: IDOR in /chat/stop-chat-session allows any authenticated user to interrupt other users chat sessions
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/chatsessionid endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the caller. An...
CVE-2026-42276
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/chatsessionid endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the caller. An...
Onyx 安全漏洞
Onyx is an open-source AI large model platform developed by Onyx. Vulnerabilities exist in versions prior to Onyx 3.0.9, 3.1.6, and 3.2.6. These vulnerabilities stem from the GET /chat/file/fileid endpoint, which validates the caller’s identity but does not check file ownership. This could allow...
Onyx 安全漏洞
Onyx is an open-source AI large model platform developed by Onyx. Vulnerabilities exist in versions prior to Onyx 3.0.9, 3.1.6, and 3.2.6. These vulnerabilities stem from the POST /chat/stop-chat-session/chatsessionid endpoint checking authentication but failing to verify that the session belongs...
CVE-2023-43784
Plesk Onyx 17.8.11 has accessKeyId and secretAccessKey fields that are related to an Amazon AWS Firehose component. NOTE: the vendor's position is that there is no security threat...
EUVD-2020-3934
Malware in sbrugna...
EUVD-2025-18236
Malicious code in bioql PyPI...
EUVD-2025-22016
Malicious code in bioql PyPI...
EUVD-2025-22353
Malicious code in bioql PyPI...
CVE-2025-51479
Authorization bypass in updateusergroup in onyx-dot-app Onyx Enterprise Edition 0.27.0 allows remote authenticated attackers to modify arbitrary user groups via crafted PATCH requests to the /api/manage/admin/user-group/id endpoint, bypassing intended curator-group assignment checks...
CVE-2025-51479
Authorization bypass in updateusergroup in onyx-dot-app Onyx Enterprise Edition 0.27.0 allows remote authenticated attackers to modify arbitrary user groups via crafted PATCH requests to the /api/manage/admin/user-group/id endpoint, bypassing intended curator-group assignment checks...
CVE-2025-51479
Authorization bypass in updateusergroup in onyx-dot-app Onyx Enterprise Edition 0.27.0 allows remote authenticated attackers to modify arbitrary user groups via crafted PATCH requests to the /api/manage/admin/user-group/id endpoint, bypassing intended curator-group assignment checks...