Malicious code in ranno (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a1366783d9cb87471f1b5cfeb806508ee83b2a58ded724f8ea45d8391f4f68bc The package's advertised API ex calls gn in ranno/gn.py, which POSTs the caller's prompt — and, when a data= argument is supplied, the absolute file...

Exploit for CVE-2026-47101

CVE-2026-47101 — LiteLLM Privilege Escalation via /key/genera...

CVE-2026-44563

Open WebUI/Open WebUI’s Ollama integration vulnerability (CVE-2026-44563) affects the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints. These endpoints forward a user-supplied model name to the Ollama backend without enforcing AccessGrants.has_access(), effectively bypassing mo...

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI that is open source. Versions of Open WebUI prior to 0.9.0 contained security vulnerabilities. These vulnerabilities stemmed from the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints, which accepted...

GHSA-RCVP-6FGW-C7FH Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show

Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show Affected Component Ollama proxy endpoints missing model access control: - backend/openwebui/routers/ollama.py lines 955-995, generatecompletion - backend/openwebui/routers/ollama.py lines 835-881, emb...

PT-2026-39280

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description Four Ollama proxy endpoints accept any model name from the user and forward the request to the Ollama backend without verifying if the user is authorized to access that model. While these endpoint...

CVE-2026-22662

prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can exploit this vulnerability by sending POST requests...

CVE-2026-22662

prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can exploit this vulnerability by sending POST requests...

Denial of Service (DoS)

Overview imaginAIry is an AI imagined images. Pythonic generation of images. Affected versions of this package are vulnerable to Denial of Service DoS over the /api/stablestudio/generate endpoint. An attacker can cause the server to crash and return KILLED to all clients by sending a payload with...

The vulnerability of the imagination AI image and video generation generator, related to server blocking, allows a violator to trigger a service failure.

The vulnerability of the imagination AI image and video generation service is related to a server crash due to uncontrolled resource consumption during the processing of the api/stablestudio/generate endpoint. Exploiting this vulnerability could allow an attacker to cause a service outage by...