Authorization Bypass Through User-Controlled Key

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the querycollectionhandler function. An attacker can access other users' private documents, metadata, and personal memories by submitting crafted requests t...

Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories

Summary Any authenticated user can read other users' private memories via /api/v1/retrieval/query/collection Details Vulnerability 1: Missing authorization in collection querying In backend/openwebui/routers/retrieval.py, the querycollectionhandler function accepts a list of collectionnames but...

EUVD-2026-16636

A resample query can be used to trigger out-of-memory crashes in Grafana...

CVE-2026-33755

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP Contact/query endpoint allows any authenticated user with basic addressbook access to extract arbitrary data...

CVE-2026-27879

A resample query can be used to trigger out-of-memory crashes in Grafana...

UBUNTU-CVE-2026-27879

A resample query can be used to trigger out-of-memory crashes in Grafana...

CVE-2026-27879

A resample query can be used to trigger out-of-memory crashes in Grafana...

CVE-2026-27879

Grafana is affected by CVE-2026-27879 where a resample query can trigger unbounded memory allocations, causing out-of-memory crashes. The issue is exposed via a network attack vector with low complexity and low privileges, and it impacts availability (High) while confidentiality and integrity rem...

CVE-2026-27879

A resample query can be used to trigger out-of-memory crashes in Grafana...

CVE-2026-27879 Query resampling can cause unbounded memory allocations

A resample query can be used to trigger out-of-memory crashes in Grafana...

CVE-2026-27879 Query resampling can cause unbounded memory allocations

A resample query can be used to trigger out-of-memory crashes in Grafana...

CVE-2026-27879

A resample query can be used to trigger out-of-memory crashes in Grafana...

CVE-2026-4954 mingSoft MCMS Web Content List Endpoint ContentAction.java list sql injection

A security vulnerability has been detected in mingSoft MCMS up to 5.5.0. Impacted is the function list of the file net/mingsoft/cms/action/web/ContentAction.java of the component Web Content List Endpoint. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit...

CVE-2026-4954 mingSoft MCMS Web Content List Endpoint ContentAction.java list sql injection

A security vulnerability has been detected in mingSoft MCMS up to 5.5.0. Impacted is the function list of the file net/mingsoft/cms/action/web/ContentAction.java of the component Web Content List Endpoint. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit...

CVE-2026-33755 Authenticated SQL Injection in Contact/query addressBookIds filter

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP Contact/query endpoint allows any authenticated user with basic addressbook access to extract arbitrary data...

CVE-2026-33755

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP Contact/query endpoint allows any authenticated user with basic addressbook access to extract arbitrary data...

CVE-2026-33755 Authenticated SQL Injection in Contact/query addressBookIds filter

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP Contact/query endpoint allows any authenticated user with basic addressbook access to extract arbitrary data...

CVE-2026-33755 Authenticated SQL Injection in Contact/query addressBookIds filter

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP Contact/query endpoint allows any authenticated user with basic addressbook access to extract arbitrary data...

CVE-2026-33755

Group-Office (enterprise CRM/groupware) has an authenticated SQL Injection in the JMAP Contact/query endpoint affecting versions before 6.8.158, 25.0.92, and 26.0.17. An authenticated user with basic addressbook access can extract arbitrary data from the database, including active session tokens ...

yggdrasil security update

An update is available for yggdrasil. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list yggdrasil is a system daemon that subscribes to topics on an MQTT broker a...