3917 matches found
CVE-2026-45229
Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the configdata dictionary. Attackers can exploit insufficient deny-list filtering to...
GHSA-RJMP-VJF2-QF4G Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation
Mass Assignment in Feedback Creation Allows User ID Spoofing and Evaluation Data Manipulation Summary The POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses modelconfig = ConfigDictextra='allow'. Due to an insecure...
Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation
Mass Assignment in Feedback Creation Allows User ID Spoofing and Evaluation Data Manipulation Summary The POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses modelconfig = ConfigDictextra='allow'. Due to an insecure...
GHSA-WXRR-JP8M-QQ7F FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Evaluator entity - cross-workspace data takeover and IDOR. File: packages/server/src/Interface.Evaluation.ts Root cause: The Evaluator controller/service constructs a n...
FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Evaluator entity - cross-workspace data takeover and IDOR. File: packages/server/src/Interface.Evaluation.ts Root cause: The Evaluator controller/service constructs a n...
NPM: FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
NPM: FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
NPM: FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
NPM: FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Evaluation entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/evaluations/index.ts Root cause: The Evaluation controller/service...
GHSA-MQ53-PC65-WJC4 FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Evaluation entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/evaluations/index.ts Root cause: The Evaluation controller/service...
NPM: FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
NPM: FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
GHSA-7J65-65CR-6644 FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the DatasetRow entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/dataset/index.ts Root cause: The DatasetRow controller/service constructs...
FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the DatasetRow entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/dataset/index.ts Root cause: The DatasetRow controller/service constructs...
FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Dataset entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/dataset/index.ts Root cause: The Dataset controller/service constructs a new...
NPM: FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
NPM: FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
GHSA-5H9V-837X-M97R FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Dataset entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/dataset/index.ts Root cause: The Dataset controller/service constructs a new...
NPM: FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
NPM: FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...
GHSA-728H-4MWJ-F2P4 FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the CustomTemplate entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/marketplaces/index.ts Root cause: The CustomTemplate controller/servi...
FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the CustomTemplate entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/marketplaces/index.ts Root cause: The CustomTemplate controller/servi...
GHSA-78PR-C5X5-JGGC FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Assistant entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/assistants/index.ts Root cause: The Assistant controller/service construct...
NPM: FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
NPM: FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...