CVE-2026-45666 Open WebUI: Indirect Object Reference (IDOR) in user notes

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the API /api/v1/notes/noteid endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. Th...

CVE-2026-33484 Langflow has Unauthenticated IDOR on Image Downloads

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns...

PT-2025-52444

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from a post-release reuse issue caused by a user competitively guessing the vm id in the drm/xe/vm subsystem...

CVE-2020-14247

HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID...

CVE-2017-14332

Extreme EXOS 15.7, 16.x, 21.x, and 22.x allows remote attackers to hijack sessions by determining SessionID values...

Multiple Huawei Server Design Vulnerabilities

Huawei Tecal RH1288 V2 and others are servers from Huawei, a Chinese company. A security vulnerability exists in several Huawei servers. An attacker can exploit the vulnerability by guessing the session ID used by another user to access the system with a fake identity...