Lucene search
K

5 matches found

OSV
OSV
added 2026/06/18 3:49 p.m.4 views

CVE-2026-55205 Hermes WebUI < 0.51.468 - Resource Exhaustion via Unauthenticated OAuth Flow Endpoint

Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads. Attackers can send repeated or concurrent requests to exhaust server memory and...

6.9CVSS6AI score0.00301EPSS
Exploits0References8
CVE
CVE
added 2026/05/15 7:26 p.m.28 views

CVE-2026-44564

Open WebUI (self-hosted offline AI platform) contains a vulnerability in the ydoc:document:update Socket.IO handler that allows read-only users to modify in-memory Yjs documents. The handler validates room membership but does not verify write permission, and read-only users join the document room...

5.4CVSS5.8AI score0.0022EPSS
Exploits1References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/31 11:41 p.m.8 views

openssl-encrypt: TOTP rate limiter is in-memory only — not shared across workers, lost on restart

Severity: HIGH Summary The TOTP brute-force rate limiter in opensslencryptserver/modules/pepper/totp.py at lines 47-98 uses an in-memory defaultdictlist as a class variable. Affected Code python class TOTPRateLimiter: def initself, ...: self.attempts: Dictstr, Listdatetime = defaultdictlist...

5.9AI score
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/01/20 8:55 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the debug/pprof endpoints. An attacker can access sensitive server internals, including runtime profiling data and in-memory application state, and trigger CPU-intensive profiling operations that could impact...

8.7CVSS5.5AI score0.00246EPSS
Exploits0References2
Snyk
Snyk
added 2026/01/20 8:55 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the debug/pprof endpoints. An attacker can access sensitive server internals, including runtime profiling data and in-memory application state, and trigger CPU-intensive profiling operations that could impact...

8.7CVSS5.6AI score0.00246EPSS
Exploits0References2
Rows per page
Query Builder