CVE-2026-45397 Open WebUI: Unauthenticated RAG Configuration Disclosure

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every adjacent endpoint on...

Automotive Grade Linux app-framework-binder 访问控制错误漏洞

Automotive Grade Linux app-framework-binder is an application framework communication component from Automotive Grade Linux, Inc. An Access Control Error vulnerability exists in Automotive Grade Linux app-framework-binder version 19.90.0 and earlier, which stems from a lack of authentication on...

Important: Red Hat Security Advisory: ovn24.03 security update

An update for ovn24.03 is now available for Fast Datapath for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

PT-2026-33490

CVE-2026-32648 Anviz CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug configuration details e.g., SSH/RTTY status, assisting attackers in reconnais… https://t.co/9Exm9A5Lee...

AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php

Summary The plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php require User::isAdmin. Details The entire...

Information Disclosure

Apache ZooKeeper is vulnerable to Information Disclosure. The vulnerability is due to improper handling of configuration values in ZKConfig, where sensitive client configuration data may be logged at INFO level in the client logfile, potentially exposing confidential information...

CVE-2026-2250

The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests...

CVE-2020-37146

ACE Security WiP-90113 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration files. Attackers can access the camera's configuration backup by sending a GET request to the /configbackup.bin endpoint, exposing credentia...

CVE-2020-37146

ACE Security WiP-90113 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration files. Attackers can access the camera's configuration backup by sending a GET request to the /configbackup.bin endpoint, exposing credentia...

CVE-2020-37146

CVE-2020-37146 affects ACE Security WiP-90113 HD Camera. A configuration disclosure vulnerability allows unauthenticated attackers to retrieve sensitive configuration files by sending a GET request to /config_backup.bin, exposing credentials and system settings. Exploitation context and impact ar...

PT-2026-6824

Name of the Vulnerable Software and Affected Versions DBPower C300 HD Camera affected versions not specified Description The DBPower C300 HD Camera has a configuration disclosure issue. Unauthenticated attackers can obtain sensitive credentials by accessing an unprotected configuration backup...

PT-2026-5846

Name of the Vulnerable Software and Affected Versions Edimax EW-7438RPn version 1.13 Description The Edimax EW-7438RPn version 1.13 contains a flaw that allows disclosure of WiFi network configuration details. An attacker can access the wlencrypt wiz.asp file to retrieve sensitive information,...

HPE Instant On Access Points 安全漏洞

HPE Instant On Access Points is a wireless access point from HPE America. A security vulnerability exists in HPE Instant On Access Points that stems from a router mode misconfiguration, which could disclose internal network configuration information...

D-Link DSL-124 访问控制错误漏洞

The D-Link DSL-124 is an optical cat routing all-in-one from China AUO D-Link. An access control error vulnerability exists in the D-Link DSL-124 ME1.00 version, which stems from a configuration file disclosure issue that could allow an unauthenticated attacker to obtain router settings via a POS...

CVE-2025-14738 Configuration Disclosure Vulnerability in TP-Link WA850RE

Improper authentication vulnerability in TP-Link WA850RE httpd modules allows unauthenticated attackers to download the configuration file.This issue affects: ≤ WA850RE V2160527, ≤ WA850RE V3160922...

CVE-2025-14738

CVE-2025-14738 describes an improper authentication vulnerability in TP-Link WA850RE (httpd modules) that allows unauthenticated attackers to download the device configuration file. Affected are WA850RE V2_160527 and WA850RE V3_160922. The issue is triggered via the httpd module and does not requ...

PT-2025-50516

EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposi...

MiniDVBLinux 安全漏洞

MiniDVBLinux is a multimedia center software from the German company MiniDVBLinux. A security vulnerability exists in MiniDVBLinux version 5.4, which stems from an insecure direct object reference that could lead to a configuration disclosure...

Google Android 安全漏洞

Google Android is a Linux-based open source operating system from Google, Inc. in the United States. A security vulnerability exists in Google Android, which stems from a privilege obfuscation issue in the NotificationStation.java file that could lead to cross-configuration file information...

EUVD-2025-200076

Grav is vulnerable to Server-Side Template Injection SSTI via Forms...