Lucene search
+L

175 matches found

EUVD
EUVD
added 4 days ago5 views

EUVD-2026-43315

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation...

5.4CVSS6.1AI score0.00138EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago35 views

CVE-2026-9597 Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation...

5.4CVSS0.00138EPSS
Exploits0References1
CVE
CVE
added 4 days ago14 views

CVE-2026-9597

Mattermost advisory MMSA-2026-00681 documents a vulnerability in Mattermost where versions 11.7.x <= 11.7.2 and 11.6.x

5.4CVSS6.1AI score0.00138EPSS
Exploits0References1Affected Software1
CVE
CVE
added 4 days ago11 views

CVE-2026-9571

Mattermost CVE-2026-9571 affects versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, and 10.11.x

6.5CVSS6.1AI score0.00174EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 4 days ago36 views

CVE-2026-9571 Deactivated user accounts can continue to obtain valid OAuth access tokens via refresh token grant in Mattermost

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token...

5.9CVSS0.00174EPSS
Exploits0References1
NVD
NVD
added 2026/07/09 5:17 p.m.13 views

CVE-2026-59226

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, executeautomation rehydrated automation owners without rechecking that they were still active or still had features.automations, and checkmodelaccess only enforced private-model grants...

4.3CVSS0.00303EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/09 4:6 p.m.6 views

EUVD-2026-42620

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, executeautomation rehydrated automation owners without rechecking that they were still active or still had features.automations, and checkmodelaccess only enforced private-model grants...

3.1CVSS6AI score0.00303EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/09 4:6 p.m.7 views

CVE-2026-59226

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, executeautomation rehydrated automation owners without rechecking that they were still active or still had features.automations, and checkmodelaccess only enforced private-model grants...

3.1CVSS6AI score0.00303EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/09 12:0 a.m.6 views

PT-2026-56830

Name of the Vulnerable Software and Affected Versions Open WebUI versions 0.9.0 through 0.9.x Description The execute automation function rehydrated automation owners without verifying if they remained active or retained features.automations permissions. Additionally, the check model access...

4.3CVSS6.1AI score0.00303EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/07/06 9:18 p.m.5 views

CVE-2026-43918

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...

8.7CVSS5.9AI score0.00235EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/02 4:0 p.m.14 views

How GitHub used secret scanning to reach inbox zero

Several years ago, GitHub Security launched an initiative to assess and improve our overall secrets hygiene. As part of that effort, we piloted the Secret Scanning capability that was under development at the time. That's when we found more than 20,000 secrets spread across our 15,000+...

5.9AI score
Exploits0
OSV
OSV
added 2026/06/24 9:1 p.m.3 views

CVE-2026-45757 Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login tokens

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has...

2.3CVSS6AI score0.00215EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.15 views

PT-2026-52095

Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 8.5.0 Rocket.Chat versions prior to 8.4.2 Rocket.Chat versions prior to 8.3.4 Rocket.Chat versions prior to 8.2.4 Rocket.Chat versions prior to 8.1.5 Rocket.Chat versions prior to 8.0.6 Rocket.Chat versions prior ...

2.3CVSS5.8AI score0.00215EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.27 views

PT-2026-47329

Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...

7.1CVSS5.5AI score0.00271EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:36 p.m.13 views

CVE-2026-41891

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been patched in version...

5.3CVSS5.3AI score0.00269EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.11 views

CVE-2026-44561

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the isuserchannelmember function checks whether a ChannelMember row exists but does not check the isactive field. When a user is deactivated from a group or DM channel removed by the...

5.4CVSS5.5AI score0.00178EPSS
Exploits1References1
NVD
NVD
added 2026/05/15 8:16 p.m.15 views

CVE-2026-44561

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the isuserchannelmember function checks whether a ChannelMember row exists but does not check the isactive field. When a user is deactivated from a group or DM channel removed by the...

5.4CVSS0.00178EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/15 7:34 p.m.8 views

CVE-2026-44561 Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the isuserchannelmember function checks whether a ChannelMember row exists but does not check the isactive field. When a user is deactivated from a group or DM channel removed by the...

5.4CVSS5.8AI score0.00178EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/15 7:34 p.m.8 views

CVE-2026-44561

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the isuserchannelmember function checks whether a ChannelMember row exists but does not check the isactive field. When a user is deactivated from a group or DM channel removed by the...

5.4CVSS5.8AI score0.00178EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/05/15 7:34 p.m.18 views

EUVD-2026-30619

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the isuserchannelmember function checks whether a ChannelMember row exists but does not check the isactive field. When a user is deactivated from a group or DM channel removed by the...

5.4CVSS5.8AI score0.00178EPSS
Exploits1References1
Rows per page
Query Builder