CVE-2026-45401

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validateurl function in backend/openwebui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream sync requests, async...

CVE-2026-42461

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full...

CVE-2026-39889

PraisonAI's A2U event stream server exposes all agent activity without authentication prior to version 4.5.115. The create_a2u_routes() function registers endpoints /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health with no auth checks, enabling unauthenti...

Information Exposure

Overview Glances is an A cross-platform curses-based monitoring tool Affected versions of this package are vulnerable to Information Exposure via the /api/v4/args and /api/v4/args/item endpoints, which return sensitive information such as password hashes, SNMP community strings, SNMP authenticati...

CVE-2026-27449 Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints

Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the...

CVE-2025-69970

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API...

Information Exposure

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Information Exposure via the exposed endpoints /skServer/serialports, /skServer/availablePaths, and /skServer/hasAnalyzer that are not protected by authentication...

CVE-2024-49587

CVE-2024-49587 concerns Glutton V1: unauthenticated endpoints on Gotham stacks could let attackers access backend data (read/update/delete). The issue is confirmed across Red Hat/NVD/CVE listings and related feeds, with a documented root cause of exposed service endpoints and no user authenticati...

CVE-2025-52634 HCL AION is susceptible to Spring Boot Actuator Endpoints Exposed

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0...

EUVD-2025-29611

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2020-7943

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints. For PuppetDB this may contain things like...

CVE-2024-49357

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as http:///v1/users/image?path=/var/lib/casaos/1/apporder.json and http:///v1/users/image?path=/var/lib/casaos/1/system.json,...