Lucene search
K

20513 matches found

Veracode
Veracode
added 2026/03/28 5:21 a.m.24 views

Server-Side Request Forgery (SSRF)

saloonphp/saloon is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of request endpoints allowing absolute URLs to override the base URL, which allows an attacker to redirect requests to malicious hosts and potentially exfiltrate sensitive data such...

8.7CVSS5.9AI score0.0042EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/28 4:56 a.m.5 views

CVE-2026-28788

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the POST /api/v1/retrieval/process/files/batch endpoint. The endpoint performs no ownership check, so a...

7.1CVSS5.9AI score0.02858EPSS
Exploits1References1
vulnersOsv
vulnersOsv
added 2026/03/27 9:32 p.m.4 views

langflow-nightly (=1.8.0.dev24) potentially affected by CVE-2026-33873 via langflow-base (=0.7.2)

langflow-base PYPI version =0.7.2 is affected by a known vulnerability. The following packages have a transitive dependency on langflow-base and may be impacted: - langflow-nightly =1.8.0.dev24 Source cves: CVE-2026-33873 Source advisory: SNYK:PYTHON-LANGFLOWBASE-15812241...

9.9CVSS5.8AI score0.01426EPSS
Exploits1
Snyk
Snyk
added 2026/03/27 7:36 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the readflow helper in src/backend/base/langflow/api/v1/flows.py. An attacker can read, modify, or delete another user's flow by supplying that flow's UUID to the GET, PATCH, or DELETE /api/v1/flow/flowid...

8.8CVSS5.9AI score0.00406EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/27 6:5 p.m.3 views

Cross-site Scripting (XSS)

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Form Trigger node. An attacker can execute arbitrary scripts in the context of users visiting a published form by injecting malicious payloads, potentially leading t...

5.4CVSS6AI score
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/03/27 5:31 p.m.29 views

langflow-nightly (=1.8.0.dev24) potentially affected by CVE-2026-5027 via langflow-base (=0.7.2)

langflow-base PYPI version =0.7.2 is affected by a known vulnerability. The following packages have a transitive dependency on langflow-base and may be impacted: - langflow-nightly =1.8.0.dev24 Source cves: CVE-2026-5027 Source advisory: SNYK:PYTHON-LANGFLOWBASE-15842030...

8.8CVSS5.8AI score0.02104EPSS
Exploits4
vulnersOsv
vulnersOsv
added 2026/03/27 5:31 p.m.2 views

langflow-nightly (=1.8.0.dev24) potentially affected by CVE-2026-5022 via langflow-base (=0.7.2)

langflow-base PYPI version =0.7.2 is affected by a known vulnerability. The following packages have a transitive dependency on langflow-base and may be impacted: - langflow-nightly =1.8.0.dev24 Source cves: CVE-2026-5022 Source advisory: SNYK:PYTHON-LANGFLOWBASE-15840036...

6.3CVSS5.8AI score0.00204EPSS
Exploits0
Snyk
Snyk
added 2026/03/27 5:31 p.m.4 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the downloadimage endpoint. An attacker can access and download image files belonging to any flow by knowing or guessing the flow ID and file name. Remediation There is no fixed version for langflow-base...

6.3CVSS5.9AI score0.00204EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/03/27 5:31 p.m.3 views

langflow-nightly (=1.8.0.dev24) potentially affected by CVE-2026-5026 via langflow-base (=0.7.2)

langflow-base PYPI version =0.7.2 is affected by a known vulnerability. The following packages have a transitive dependency on langflow-base and may be impacted: - langflow-nightly =1.8.0.dev24 Source cves: CVE-2026-5026 Source advisory: SNYK:PYTHON-LANGFLOWBASE-15814086...

7CVSS5.8AI score0.00155EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/03/27 5:31 p.m.4 views

langflow-nightly (=1.8.0.dev24) potentially affected by CVE-2026-5025 via langflow-base (=0.7.2)

langflow-base PYPI version =0.7.2 is affected by a known vulnerability. The following packages have a transitive dependency on langflow-base and may be impacted: - langflow-nightly =1.8.0.dev24 Source cves: CVE-2026-5025 Source advisory: SNYK:PYTHON-LANGFLOWBASE-15813866...

6.5CVSS5.8AI score0.00244EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/03/27 5:9 p.m.6 views

CVE-2026-27663

A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.10, RTUM85 RTU Base All versions V26.10. The affected application contains denial-of-service DoS vulnerability. The remote operation mode is susceptible to a resource exhaustion condition when subjecte...

7.1CVSS5.8AI score0.00269EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/27 5:9 p.m.3 views

CVE-2026-27664

A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.10, SICORE Base system All versions V26.10.0. The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated...

8.7CVSS5.7AI score0.00358EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/27 3:35 p.m.3 views

EUVD-2026-16484

Open WebUI has unauthorized deletion of knowledge files...

5.4CVSS5.9AI score0.00252EPSS
Exploits1References3
OSV
OSV
added 2026/03/27 3:35 p.m.1 views

GHSA-26GM-93RW-CCHF Open WebUI has unauthorized deletion of knowledge files

Summary An access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base or is admin, but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from...

5.4CVSS6AI score0.00252EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/27 3:35 p.m.6 views

Open WebUI has unauthorized deletion of knowledge files

Summary An access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base or is admin, but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from...

8.1CVSS6AI score0.00252EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/03/27 3:34 p.m.5 views

EUVD-2026-16482

Open WebUI's processfilesbatch endpoint missing ownership check, allows unauthorized file overwrite...

7.1CVSS5.8AI score0.02858EPSS
Exploits1References3
OSV
OSV
added 2026/03/27 3:34 p.m.3 views

GHSA-JJP7-G2JW-WH3J Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite

Summary Any authenticated user can overwrite any file's content by ID through the POST /api/v1/retrieval/process/files/batch endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via GET /api/v1/knowledge/id/files a...

7.1CVSS5.9AI score0.02858EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/27 3:34 p.m.7 views

Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite

Summary Any authenticated user can overwrite any file's content by ID through the POST /api/v1/retrieval/process/files/batch endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via GET /api/v1/knowledge/id/files a...

7.1CVSS5.9AI score0.02858EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/03/27 2:13 p.m.30 views

CVE-2026-4953 mingSoft MCMS Editor Endpoint BaseAction.java catchImage server-side request forgery

A weakness has been identified in mingSoft MCMS up to 5.5.0. This issue affects the function catchImage of the file net/mingsoft/cms/action/BaseAction.java of the component Editor Endpoint. Executing a manipulation of the argument catchimage can lead to server-side request forgery. It is possible...

7.5CVSS0.00278EPSS
Exploits0References4
AlpineLinux
AlpineLinux
added 2026/03/27 8:10 a.m.2 views

CVE-2025-59028

When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes hea...

7.5CVSS5.9AI score0.00447EPSS
Exploits0References1
Rows per page
Query Builder