Open WebUI's chat completion API allows tool restrictions to be bypassed

Summary Open WebUI v0.6.43 contains a vulnerability in its chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. Details In the chatcompletion API, the parameters toolids and toolservers are supplied by the user. These...

HTTPS Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker Module Options msf use payload/cmd/windows/https/x86/vncinject/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show an...

HTTP Fetch, Reverse TCP Stager (DNS)

Fetch and execute an x86 payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/windows/http/x86/vncinject/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf payloadreversetcpdns show options ...show and...

Fetch MCP Server 安全漏洞

Fetch MCP Server is a context protocol server by Zach Caceres Individual Developer. A security vulnerability exists in Fetch MCP Server version 1.0.2 and prior versions, which stems from server-side request forgery and could lead to access to internal network resources...

MAL-2025-190340 Malicious code in winston-process-fetch-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f32310e6d14f06422f625862322cf64c1e6a08c795148c10b8a5c50e384c2f17 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-175536

Malicious code in winston-process-fetch-server npm...