Lucene search
K

240 matches found

CVE
CVE
added 5 days ago31 views

CVE-2026-55672

Summary (concrete details) : The CVE concerns Zitadel, an open-source identity management platform. The vulnerability occurs in the OAuth2/OIDC CodeExchange and RefreshToken flows (and related device token flow) where verification that the requesting client matches the originally authorized clien...

7.4CVSS6.1AI score0.00276EPSS
Exploits0References5
NVD
NVD
added 6 days ago12 views

CVE-2026-59226

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, executeautomation rehydrated automation owners without rechecking that they were still active or still had features.automations, and checkmodelaccess only enforced private-model grants...

4.3CVSS0.00303EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 6 days ago7 views

CVE-2026-59226

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, executeautomation rehydrated automation owners without rechecking that they were still active or still had features.automations, and checkmodelaccess only enforced private-model grants...

3.1CVSS6AI score0.00303EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 6 days ago31 views

CVE-2026-59226 Open WebUI: Scheduled automations continue after pending-user deactivation and stored model ACL revocation

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, executeautomation rehydrated automation owners without rechecking that they were still active or still had features.automations, and checkmodelaccess only enforced private-model grants...

3.1CVSS0.00303EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 6 days ago6 views

PT-2026-56830

Name of the Vulnerable Software and Affected Versions Open WebUI versions 0.9.0 through 0.9.x Description The execute automation function rehydrated automation owners without verifying if they remained active or retained features.automations permissions. Additionally, the check model access...

4.3CVSS6.1AI score0.00303EPSS
Exploits0References9
CVE
CVE
added 2026/06/30 3:52 p.m.19 views

CVE-2026-58168

Vulnerability overview: DeepTutor prior to v1.4.10 contains an authorization bypass in which the allowed_mcp_tools function returns None instead of denying access when mcp_tools is omitted from a user’s grant in deeptutor/multi_user/tool_access.py. This enables low-privilege users, including thos...

8.8CVSS5.8AI score0.00412EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/30 3:52 p.m.32 views

CVE-2026-58168 DeepTutor < 1.4.10 - Insecure Default Grants Unrestricted MCP Tool Access to Non-Admin Users

DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowedmcptools function returning None instead of a denied result when mcptools is omitted from a user's grant in...

8.8CVSS0.00412EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:49 p.m.10 views

CVE-2026-29207

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with...

6.5CVSS5.3AI score0.00541EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.11 views

CVE-2026-44562

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/models/import endpoint allows users with the workspace.modelsimport permission to overwrite any existing model in the database, regardless of ownership. When an...

6.5CVSS5.5AI score0.0029EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/01 9:14 p.m.42 views

CVE-2026-0046

In InputInterceptor of Letterbox.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

0.00076EPSS
Exploits0References1
CVE
CVE
added 2026/06/01 9:14 p.m.37 views

CVE-2026-0048

Technical details for CVE-2026-0048 are not publicly provided in the supplied documents. The description notes a tapjacking/overlay issue with local privilege escalation, but no concrete affected products, versions, or fixes are disclosed. Monitor for updates.

6.8CVSS5.9AI score0.00075EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/05/27 7:20 p.m.42 views

CVE-2026-44681

CVE-2026-44681 affects Authlib’s OpenID implementation (OpenIDImplicitGrant and OpenIDHybridGrant). An unauthenticated open redirect can occur when a request omits the openid scope, causing the server to redirect with a 302 to an attacker-controlled URL. The root cause is that the scope check hap...

6.1CVSS5.8AI score0.00203EPSS
Exploits1References1Affected Software1
Debian CVE
Debian CVE
added 2026/05/27 7:20 p.m.15 views

CVE-2026-44681

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an...

6.1CVSS5.8AI score0.00203EPSS
Exploits1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.3 views

Astra Linux – Vulnerability in Linux

The fix for XSA-365 includes the initialization of pointers so that subsequent cleanup code would not use uninitialized or stale values. However, this initialization went too far and may, under certain conditions, also overwrite pointers that need to be cleaned up. The lack of cleanup would resul...

6.5CVSS6.6AI score0.00332EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.15 views

Astra Linux – Vulnerability in Linux 5.10, Linux

In the Linux kernel, the following vulnerability has been resolved: xen/gntdev: Prevent leaking grants Prior to this commit, if a grant mapping operation failed partially, some of the entries in the mapops array would be invalid, while all of the entries in the kmapops array would be valid. This...

5.5CVSS6AI score0.00149EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/19 1:56 p.m.15 views

CVE-2026-44558

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filterallowedaccessgrants on either create or update paths. A non-admin user who can create group channels or who owns a channel can submit arbitrary...

5.4CVSS5.9AI score0.0019EPSS
Exploits1References1
NVD
NVD
added 2026/05/19 10:16 a.m.19 views

CVE-2026-29207

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with...

6.5CVSS0.00541EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/19 9:18 a.m.8 views

CVE-2026-29207 Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with...

5.7AI score0.00541EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/19 9:18 a.m.11 views

CVE-2026-29207

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with...

5.7AI score0.00541EPSS
Exploits0References2
CVE
CVE
added 2026/05/19 9:18 a.m.26 views

CVE-2026-29207

CVE-2026-29207 affects Apache OFBiz up to version 24.09.05 (pre-24.09.06) and can enable an improper neutralization of template engine elements, with Low-Privilege server-side SSTI that can lead to RCE in the Content component. The recommended remediation is to upgrade to OFBiz 24.09.06 or later....

6.5CVSS5.7AI score0.00541EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder