4 matches found
CVE-2026-44564
Open WebUI (self-hosted offline AI platform) contains a vulnerability in the ydoc:document:update Socket.IO handler that allows read-only users to modify in-memory Yjs documents. The handler validates room membership but does not verify write permission, and read-only users join the document room...
openssl-encrypt: TOTP rate limiter is in-memory only — not shared across workers, lost on restart
Severity: HIGH Summary The TOTP brute-force rate limiter in opensslencryptserver/modules/pepper/totp.py at lines 47-98 uses an in-memory defaultdictlist as a class variable. Affected Code python class TOTPRateLimiter: def initself, ...: self.attempts: Dictstr, Listdatetime = defaultdictlist...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the debug/pprof endpoints. An attacker can access sensitive server internals, including runtime profiling data and in-memory application state, and trigger CPU-intensive profiling operations that could impact...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the debug/pprof endpoints. An attacker can access sensitive server internals, including runtime profiling data and in-memory application state, and trigger CPU-intensive profiling operations that could impact...