GHSA-VX2F-6M6H-9FRF Bugsink: Issue event views can show an event from another project if its UUID is known

Description Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view anoth...

CVE-2026-5502

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutorupdatecoursecontentorder function. The function only validates the...

CVE-2026-44561

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the isuserchannelmember function checks whether a ChannelMember row exists but does not check the isactive field. When a user is deactivated from a group or DM channel removed by the...

CVE-2026-49203

Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted...

Powertek Firmware <3.30.30 - Authorization Bypass

Powertek firmware multiple brands before 3.30.30 running Power Distribution Units are vulnerable to authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface /cgi/getparam.cgi with the tmpToken cookie set to an...

GHSA-H37G-4H4P-9X97 PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership

Summary PraisonAI Platform has a broken workspace authorization check that allows any authenticated low-privilege workspace member to escalate their own role to owner. The issue is caused by privileged workspace-management routes using the shared dependency requireworkspacemember... without...

GHSA-RWJR-QJJ3-MQ2F Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`

Summary modules/categories.php checks that the supplied type parameter ANN, EVT, ROL, USF, … corresponds to a module the actor administers. The follow-up "is this specific category editable by me" check at lines 56-61 is dead code because it compares $getType a category-type code against mode nam...

CVE-2026-4290 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...

EUVD-2026-33027

Mantis Bug Tracker MantisBT is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user REPORTER+ to download attachments on private bugnotes they should not be able to access, via the REST API endpoint...

CVE-2026-2601 Missing Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on projects due to...

CVE-2026-3896

The Livemesh SiteOrigin Widgets plugin for WordPress is affected by a Stored Cross-Site Scripting (XSS) issue via the lsow_admin_ajax action in all versions up to and including 3.9.2. The root cause is missing user capability checks alongside insufficient input sanitization; the AJAX handler vali...

PT-2026-43407

Missing Authorization vulnerability in oban-bg oban web 'Elixir.Oban.Web.Jobs.DetailComponent' modules allows unauthorized job worker substitution. The handle event"save-job", ... handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel,...

CVE-2026-45395 Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint POST /api/v1/tools/id/id/update is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been...

CVE-2026-44554

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collectionname and an overwrite query parameter default: True. It performs no authorization check on whether t...

CVE-2026-44554 Open WebUI: Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collectionname and an overwrite query parameter default: True. It performs no authorization check on whether t...

CVE-2026-44561 Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the isuserchannelmember function checks whether a ChannelMember row exists but does not check the isactive field. When a user is deactivated from a group or DM channel removed by the...

CVE-2026-44561

CVE-2026-44561 affects Open WebUI. The vulnerability arises in the is_user_channel_member check: before 0.9.0, the code verifies ChannelMember existence but ignores is_active, so deactivated members (status 'left', is_active=False) retain full read/write access to group/DM channels via direct API...

GHSA-26G9-27VM-X3Q8 Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion

Summary Any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting...

NPM: Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution

NPM: Open WebUI: Missing workspace.tools Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution vulnerability discovered by ? in WordPress Npm open-webui versions 0.9.5...

Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution

Summary The tool update endpoint POST /api/v1/tools/id/id/update is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been explicitly denied tool management capabilities and who the administrator considers untrusted for code...