CVE-2026-54012

CVE-2026-54012 pertains to Open WebUI. Before version 0.9.6, a user with model-creation/update/import rights could attach forged meta.knowledge entries of type file to their model. The system then trusts these entries as authorization sources, enabling a cross-user read and deletion of private fi...

CVE-2026-54012 Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the...

OpenAPI Generator <= 7.5.0 - Arbitrary File Read/Delete

OpenAPI Generator versions 7.5.0 and below are prone to an Arbitrary File Read/Delete vulnerability. Attackers can exploit this vulnerability to read and delete files and folders from an arbitrary, writable directory. id: CVE-2024-35219 info: name: OpenAPI Generator = 7.5.0 - Arbitrary File...

Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Delete

Telesquare TLR-2005KSH 1.0.0 is affected by an arbitrary file deletion vulnerability that allows a remote attacker to delete any file, even system internal files, via a DELETE request. id: CVE-2021-46424 info: name: Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Delete author: gy741 severity:...

Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion

Summary Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two...

Security update for roundcubemail (important)

openSUSE Security Update: Security update for roundcubemail Announcement ID: openSUSE-SU-2026:0183-1 Rating: important References: 1266329 1266331 1266332 1266333 1266334 1266335 1266336 1266337 Cross-References: CVE-2026-48842 CVE-2026-48843 CVE-2026-48844 CVE-2026-48845 CVE-2026-48846...

EUVD-2026-35137

OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by supplying unsanitized absolute paths to the upload handler and wordlist functions. Attackers can...

PT-2026-47341

OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by supplying unsanitized absolute paths to the upload handler and wordlist functions. Attackers can...

CVE-2026-0259

An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode. The...

CVE-2026-42317

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch...

CVE-2026-35080 Arbitrary file delete vulnerability in method ugw-restoreinfo

The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

CVE-2026-35079

The CVE-2026-35079 entry describes an issue in the ugw-restore method where a remote attacker with user privileges can delete arbitrary local files due to insufficient validation of user-controlled input. The vulnerability is assessed with high severity (CVSS 4.0: base 7.2; CVSS 3.1: base 8.1), r...

CVE-2026-35079 Arbitrary file delete vulnerability in method ugw-restore

The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

CVE-2026-35078 Arbitrary file delete vulnerability in method ugw-logstop

The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

GHSA-QC4C-HRMC-4F78 Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges

Summary An authenticated Admidio member with upload rights on any one folder can permanently delete files from folders where they have only view access. The authorization check at the top of modules/documents-files.php evaluates upload rights against the attacker-supplied folderuuid URL parameter...

PT-2026-40910

The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a user-controlled backup...

CVE-2026-0259 WildFire WF-500 and WF-500-B: Arbitrary File Read and Delete Vulnerability in WildFire Appliance (WF-500, WF-500-B)

An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode. The...

CVE-2026-0259 WildFire WF-500 and WF-500-B: Arbitrary File Read and Delete Vulnerability in WildFire Appliance (WF-500, WF-500-B)

An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode. The...

CVE-2026-0259

CVE-2026-0259 affects Palo Alto Networks WildFire Appliance WF-500 and WF-500-B operating in the default non-FIPS configuration. It enables an arbitrary File Read and Delete vulnerability over the network, allowing access to sensitive information and deletion of arbitrary files. Impact is describ...

CVE-2026-44243 GitPython: Path traversal in GitPython reference APIs allows arbitrary file write and delete outside the repository

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory...