Lucene search
K

6209 matches found

Cvelist
Cvelist
added 2026/05/16 3:28 p.m.34 views

CVE-2021-47942 Home Assistant Community Store 1.10.0 Path Traversal Account Takeover

Home Assistant Community Store HACS prior to 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh...

8.7CVSS0.00498EPSS
Exploits1References4
CVE
CVE
added 2026/05/16 3:28 p.m.17 views

CVE-2021-47942

CVE-2021-47942 concerns Home Assistant Community Store (HACS) 1.10.0. The vulnerability is a path traversal flaw exposed via the /hacsfiles/ endpoint, allowing unauthenticated attackers to read sensitive files (notably .storage/auth) and retrieve credentials/refresh tokens. With this access, an a...

8.7CVSS5.8AI score0.00498EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/16 12:0 a.m.13 views

PT-2026-41449

Name of the Vulnerable Software and Affected Versions Home Assistant Community Store HACS version 1.10.0 Description A path traversal issue allows unauthenticated attackers to read sensitive files by traversing directories via the '/hacsfiles/' endpoint. This can be used to retrieve the...

8.7CVSS5.8AI score0.00498EPSS
Exploits1References8
NVD
NVD
added 2026/05/15 10:16 p.m.28 views

CVE-2026-45665

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting XSS vulnerability exists in the Banner component due to an improper sanitization order specifically, DOMPurify is executed before the marked library. Th...

8.1CVSS0.00322EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/05/15 9:31 p.m.8 views

Duplicate Advisory: phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9pq7-mfwh-xx2j. This link is maintained to preserve external references. Original Description phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the...

9.3CVSS5.6AI score0.00339EPSS
Exploits0References4Affected Software2
OSV
OSV
added 2026/05/15 9:31 p.m.4 views

GHSA-6626-79JH-5CCR Duplicate Advisory: phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9pq7-mfwh-xx2j. This link is maintained to preserve external references. Original Description phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the...

9.3CVSS5.6AI score0.00339EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/15 9:9 p.m.13 views

EUVD-2026-30646

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user non-admin logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of...

6.5CVSS5.8AI score0.00281EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/15 9:5 p.m.14 views

EUVD-2026-30642

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memories...

8.3CVSS5.8AI score0.00294EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/15 9:5 p.m.34 views

CVE-2026-44570 Open WebUI: Inconsistent authorization controls within memories API

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memories...

8.3CVSS0.00294EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/15 8:59 p.m.15 views

EUVD-2026-30643

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is...

7.3CVSS5.8AI score0.0023EPSS
Exploits1References1
NVD
NVD
added 2026/05/15 7:17 p.m.26 views

CVE-2026-45010

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

9.3CVSS0.00339EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/15 6:36 p.m.38 views

CVE-2026-45010 phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint

phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting. Unauthenticated attackers can brute-force any user's six-digit TOTP code by...

9.3CVSS0.00339EPSS
Exploits0References2
CVE
CVE
added 2026/05/15 6:36 p.m.16 views

CVE-2026-45010

CVE-2026-45010 affects phpMyFAQ before 4.1.2. The /admin/check endpoint improperly restricts authentication attempts, accepting arbitrary user-id parameters without session binding or rate limiting. This enables unauthenticated attackers to brute-force any user’s six-digit TOTP code by submitting...

9.3CVSS6AI score0.00339EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2026/05/15 9:35 a.m.148 views

Exploit for CVE-2026-8181

EN: Controlled PoC and brief technical notes for authorized secu...

9.8CVSS5.7AI score0.14608EPSS
Exploits10
EUVD
EUVD
added 2026/05/15 7:46 a.m.12 views

EUVD-2026-30518

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'table' parameter in all versions up to, and including, 9.1.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

4.9CVSS5.9AI score0.00355EPSS
Exploits0References11
ATTACKERKB
ATTACKERKB
added 2026/05/15 7:46 a.m.9 views

CVE-2026-7046

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'table' parameter in all versions up to, and including, 9.1.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

4.9CVSS5.9AI score0.00355EPSS
Exploits0References12
ATTACKERKB
ATTACKERKB
added 2026/05/15 6:45 a.m.9 views

CVE-2026-4094

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'adminhead' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-lev...

8.1CVSS5.7AI score0.00273EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/15 2:51 a.m.15 views

EUVD-2026-30501

Improper cleanup of shared register resources in GPU firmware could allow an admin-privileged attacker from a Guest Virtual machine VM to access these shared resources from another Guest VM, potentially resulting in the loss of confidentiality, integrity, or availability...

4.6CVSS5.8AI score0.00112EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/15 2:51 a.m.54 views

CVE-2026-0427

Improper cleanup of shared register resources in GPU firmware could allow an admin-privileged attacker from a Guest Virtual machine VM to access these shared resources from another Guest VM, potentially resulting in the loss of confidentiality, integrity, or availability...

4.6CVSS0.00112EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.11 views

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.0 contained security vulnerabilities. These vulnerabilities were caused by TOCTOU race conditions in the LDAP and OAuth authentication processes, which could allow...

8.1CVSS5.8AI score0.00354EPSS
Exploits1References2
Rows per page
Query Builder