EUVD-2026-34028

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, an...

EUVD-2026-33688

Missing Authorization vulnerability in Themefic Hydra Booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hydra Booking: from n/a through 1.1.41...

PT-2026-45055

Summary PraisonAI's call server exposes a network-facing agent control API without authentication when CALL SERVER TOKEN is not configured. The affected component is the praisonai.api.agent invoke router as mounted by praisonai.api.call. The authentication helper verify token fails open when CALL...

CVE-2026-45716

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

CVE-2026-45716 Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

CVE-2026-45716 Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

CVE-2026-9642

Delta Electronics DIAView has a reported vulnerability where unverified remote attackers can access the configured database due to a security flaw in the DIAView software. The available public document describes unauthenticated remote access to the database as the impact. No concrete fix/mitigati...

CVE-2026-9642

...

CVE-2025-71310

The GDPR cookies module for Backdrop CMS before 1.x-1.3.5 doesn't sufficiently protect visitors from Cross Site Scripting XSS if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with...

EUVD-2025-209927

The GDPR cookies module for Backdrop CMS before 1.x-1.3.5 doesn't sufficiently protect visitors from Cross Site Scripting XSS if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with...

Delta Electronics DIAView 安全漏洞

Delta Electronics DIAView is an industrial configuration software developed by Delta Electronics in China. Delta Electronics DIAView has a security vulnerability, which stems from the possibility for unverified remote attackers to access the configured database...

PT-2026-43161

The GDPR cookies module for Backdrop CMS before 1.x-1.3.5 doesn't sufficiently protect visitors from Cross Site Scripting XSS if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with...

CVE-2026-24546

Missing Authorization vulnerability in Ruben Garcia GamiPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GamiPress: from n/a through 7.6.3...

php: Fix of CVE-2026-7262

CVE-2026-7262: fix NULL pointer dereference in SOAP apache map decoder typemap configured...

GHSA-C54J-XP92-WH28 Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Summary The POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances, this endpoint bypasses the admin-restricted invite flo...

Improper Privilege Management

Overview @budibase/frontend-core is a Budibase frontend core libraries used in builder and client Affected versions of this package are vulnerable to Improper Privilege Management through the onboardUsers function. An attacker can gain unauthorized administrative privileges by sending crafted...

BIT-NGINX-GATEWAY-2026-40701 NGINX ngx_http_ssl_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpsslmodule module when the sslverifyclient directive is set to "on" or "optional," and the sslocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacke...

Open WebUI 跨站脚本漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI that is open source. Versions of Open WebUI prior to 0.9.0 had a cross-site scripting vulnerability. This vulnerability stemmed from the AccountPending.svelte component using marked.parse to render...

GHSA-JH9G-8JQW-M2QX Open WebUI Exposes System Prompt to Regular User [Non-Admin]

Summary A regular user non-admin can view the system prompt of the model which is set by an admin. Details When a regular user non-admin logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of available...

Open WebUI Exposes System Prompt to Regular User [Non-Admin]

Summary A regular user non-admin can view the system prompt of the model which is set by an admin. Details When a regular user non-admin logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of available...