CVE-2026-44569

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, there's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability...

CVE-2026-44569

Open WebUI CVE-2026-44569 describes an IDOR in the channel messages management system. Before version 0.6.19, authenticated users could modify or delete any message in channels they can read because message ownership validation was missing in the backend update/delete endpoints, even though the f...

Open WebUI's Insecure Message Access Breaks Authorization

Description There's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability exists in the message update and delete endpoints, which implement channel-level authorization but...

PT-2026-37354

A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the fronte...

RUSTSEC-2026-0034 HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

Pingora versions prior to 0.8.0 improperly allowed HTTP/1.0 request bodies to be close-delimited and incorrectly handled multiple Transfer-Encoding values. This allows an attacker to desync Pingora's request framing from backend servers and smuggle requests to the backend. This vulnerability...

CVE-2026-28286

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, th...

WordPress iThemes Security plugin <= 7.9.0 - Hide Backend Bypass vulnerability

Hide Backend Bypass vulnerability discovered by Julio Potier SecuPress in WordPress iThemes Security plugin versions = 7.9.0. Solution Update the WordPress iThemes Security plugin to the latest available version at least 7.9.1...

About Tencent customer service open platform of the 2 vulnerability+subsidiary vulnerabilities 1-vulnerability warning-the black bar safety net

Vulnerability name: Tencent customer service open platform backend bypass A, detailed description: The login section by noPermissjs http://347.kf.ieodopen.qq.com/admin/js/index.js?v=20121007 Because. kf. ieodopen. qq. com domain name the opening number represents the application number so I think...

Home improvement network 0day a gold-bug warning-the black bar safety net

Author: broken sword Release date: 2011-03-08 Vulnerability type: file upload Vulnerability file:gdChkLogin. asp Vulnerability description: I posted part of the code for analysis. % dim user1,pass1,rs,sql user1=trimrequest"textfield" "obtains input of a user name,the value assigned to user1"...