CVE-2020-37240 Queue Management System 4.0.0 Stored XSS via Add User

Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which...

CVE-2020-37240

CVE-2020-37240 affects Queue Management System 4.0.0 with a stored XSS flaw in the Add User workflow. Authenticated administrators can inject JavaScript via First Name, Last Name, or Email during user creation, with payloads executing on the User List page. CVSS-4.0 vector yields 5.1 (MEDIUM), an...

CVE-2020-37240 Queue Management System 4.0.0 Stored XSS via Add User

Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which...

PT-2026-41440

Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which...

CVE-2026-45675

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, lin...

CVE-2026-45675

Open WebUI CVE-2026-45675 describes a TOCTOU race in first-user admin role assignment for LDAP and OAuth paths prior to version 0.9.0. The signup path was fixed to insert with a default role first and upgrade if only one user remains; LDAP and OAuth paths did not receive that fix. Attack scenario...

CVE-2026-45675 Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, lin...

CVE-2026-45675 Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, lin...

Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

Summary The LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, line 663 was explicitly patched to prevent this race with the comment "Insert with default role first to avoid...

GHSA-H3WW-Q6XX-W7X3 Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

Summary The LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, line 663 was explicitly patched to prevent this race with the comment "Insert with default role first to avoid...

EUVD-2026-29927

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip

A flaw was found in the archive/zip package in the Go standard library. A super-linear file name indexing algorithm is used in the first time a file in an archive is opened. A crafted zip archive containing a specific arrangement of file names can cause an excessive CPU and memory consumption. A ...

CVE-2026-6429

When asked to both use a .netrc file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances...

CVE-2026-6276

CVE-2026-6276 affects libcurl: if a custom Host header is initially set for an HTTP request and a subsequent request on the same easy handle is made without the Host header, the second request can reuse stale host information and leak cookies intended for the first host. The issue manifests as a ...

CVE-2026-6253

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

CVE-2026-6253

CVE-2026-6253 concerns curl leaking credentials from the first proxy when a redirect-to a second proxy occurs. The issue arises under multi-proxy configurations where the first proxy requires credentials, the second proxy does not, and a redirect from an http URL to an https URL uses the second p...

CVE-2026-6253 proxy credentials leak over redirect-to proxy

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

SUSE CVE-2026-43317

In the Linux kernel, the following vulnerability has been resolved: most: core: fix leak on early registration failure A recent commit fixed a resource leak on early registration failures but for some reason left out the first error path which still leaks the resources associated with the...

curl 安全漏洞

curl is an open-source tool developed by cURL for transferring data from a server or to a server. Curl has a security vulnerability, which stems from an error in passing the proxy authentication header. This error may cause the Proxy-Authorization header from the first proxy to be incorrectly...

PYSEC-2026-145

vLLM is an inference and serving engine for large language models LLMs. From to before 0.20.0, the extracthiddenstates speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a RuntimeError that crashes the EngineCore process. The crash ...