Unintended Secret Exposure

github.com/docker/buildx is vulnerable to unintended secret exposure. The vulnerability is due to improper handling of sensitive data in OpenTelemetry traces and BuildKit daemon's history records, that allows an attacker to access sensitive secrets by extracting them...

GHSA-FF5C-56M7-VC75 Open WebUI allows Remote Code Execution via Arbitrary File Upload to /audio/api/v1/transcriptions

OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint /audio/api/v1/transcriptions that allows for arbitrary file upload. The application performs insufficient validation on the file.contenttype and allows user-controlled filenames, leading to a path traversal vulnerability...

Open WebUI allows Remote Code Execution via Arbitrary File Upload to /audio/api/v1/transcriptions

OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint /audio/api/v1/transcriptions that allows for arbitrary file upload. The application performs insufficient validation on the file.contenttype and allows user-controlled filenames, leading to a path traversal vulnerability...

CVE-2024-13060

A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1...

CVE-2024-13060

A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1...

CVE-2024-8060 Remote Code Execution in OpenWebUI via Arbitrary File Upload

OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint /audio/api/v1/transcriptions that allows for arbitrary file upload. The application performs insufficient validation on the file.contenttype and allows user-controlled filenames, leading to a path traversal vulnerability...

CVE-2024-13060 Improper Authorization in mintplex-labs/anything-llm

A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1...

CVE-2024-13060

CVE-2024-13060 affects AnythingLLM Docker 1.3.1 and earlier. Affected component: the user cookie handling (cookie parameter id) that determines which profile picture is loaded. Root cause: insufficient authorization checks allow users with Default permission to access other users’ profile picture...

CVE-2024-13060 Improper Authorization in mintplex-labs/anything-llm

A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1...

CVE-2025-0495 vulnerabilities

Vulnerabilities for packages: kubescape, docker-compose...

GHSA-M4GQ-FM9H-8Q75 vulnerabilities

Vulnerabilities for packages: kubescape, docker-compose...

CVE-2024-40635 vulnerabilities

Vulnerabilities for packages: nerdctl, trivy, dagger, datadog-agent, kaniko, kots, chartmuseum, kubevela, wolfictl, osv-scanner, flux-helm-controller, neuvector-scanner, ctop, opa, docker, zot, helm-operator, xeol, melange, k3s, helm, helm-push, eksctl, docker-cli-buildx, buildkitd, rancher-fleet...

GHSA-265R-HFXG-FHMG vulnerabilities

Vulnerabilities for packages: nerdctl, trivy, dagger, datadog-agent, kaniko, kots, chartmuseum, kubevela, wolfictl, osv-scanner, flux-helm-controller, neuvector-scanner, ctop, opa, docker, zot, helm-operator, xeol, melange, k3s, helm, helm-push, eksctl, docker-cli-buildx, buildkitd, rancher-fleet...

PT-2025-12191 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm version 1d9452da2b92 Description: A denial of service issue arises when uploading an audio file with a very low sample rate, causing the site instance to crash. This occurs due to the localWhisper implementation,...

CVE-2025-0495

Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry...

CVE-2025-0495 vulnerabilities

Vulnerabilities for packages: docker-compose, kubescape, docker-compose-fips...

GHSA-M4GQ-FM9H-8Q75 vulnerabilities

Vulnerabilities for packages: docker-compose, kubescape, docker-compose-fips...

CVE-2024-40635

containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as roo...

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the form of credentials being passed as parameter values when registering a new user via the OpenTelemetry endpoint. These values may be passed in a cache-to/cache-from configuration a...

CVE-2025-0495

Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry...