Lucene search
+L

150 matches found

Cvelist
Cvelist
added 2026/07/09 4:9 p.m.30 views

CVE-2026-59220 Open WebUI: ReDoS in skill-mention regexes causes whole-instance DoS on default config

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILLMENTIONRE and stripre regular expressions in backend/openwebui/utils/middleware.py parsed skill mentions with overlapping quantifiers, allowing an authenticated chat message...

6.5CVSS0.00319EPSS
Exploits1References3
CVE
CVE
added 2026/07/09 4:9 p.m.9 views

CVE-2026-59220

Open WebUI (self-hosted AI platform) has a ReDoS in theSkill mention handling. In versions before 0.10.0, the SKILL_MENTION_RE and strip_re regexes in backend/open_webui/utils/middleware.py parsed mentions with overlapping quantifiers, allowing an authenticated user to send a message containing ...

6.5CVSS6AI score0.00319EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/07/09 4:9 p.m.4 views

CVE-2026-59220 Open WebUI: ReDoS in skill-mention regexes causes whole-instance DoS on default config

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.2 before 0.10.0, the SKILLMENTIONRE and stripre regular expressions in backend/openwebui/utils/middleware.py parsed skill mentions with overlapping quantifiers, allowing an authenticated chat message...

6.5CVSS6.1AI score0.00319EPSS
Exploits1References5
OSV
OSV
added 2026/06/18 7:11 a.m.5 views

MINI-3PXX-W276-3PH7

Bulletin has no description...

9.1CVSS4.9AI score0.0036EPSS
Exploits0
OSV
OSV
added 2026/06/16 5:25 p.m.5 views

MINI-G6R2-FXJQ-8VWJ

Bulletin has no description...

7.5CVSS4.9AI score0.00279EPSS
Exploits0
NVD
NVD
added 2026/06/11 7:16 p.m.12 views

CVE-2026-47175

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to mention everyone can...

2.3CVSS0.00235EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/11 6:29 p.m.31 views

CVE-2026-47175 Quest Bot: Moderation reason fields allow bot-powered `@everyone` / `@here` pings

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to mention everyone can...

2.3CVSS0.00235EPSS
Exploits0References2
CVE
CVE
added 2026/06/11 6:29 p.m.20 views

CVE-2026-47173

Quest Bot (Discord bot) prior to v1.0.3 is vulnerable: a normal user can create a ticket with a reason containing @everyone/@here, user or role mentions, causing the attacker-controlled reason to be posted in the new ticket channel if mentions are not suppressed. If the bot has permission to use ...

6.3CVSS5.4AI score0.00263EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.16 views

PT-2026-48714

Name of the Vulnerable Software and Affected Versions Quest Bot versions prior to 1.0.4 Description Several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. This allows a moderator who lacks the permission to mention everyone to force t...

2.3CVSS5.3AI score0.00235EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.16 views

Quest Bot 安全漏洞

Quest Bot is a multi-functional Discord community management robot developed by Duck Organization. Versions of Quest Bot prior to 1.0.3 contained security vulnerabilities. These vulnerabilities stemmed from reminder messages that did not suppress mentions sent to @everyone or @here, potentially...

8.8CVSS5.3AI score0.00324EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.20 views

Quest Bot 安全漏洞

Quest Bot is a multi-functional Discord community management robot developed by Duck Organization. Versions of Quest Bot prior to 1.0.4 contained security vulnerabilities. These vulnerabilities stemmed from the fact that audit commands did not disable mention resolution, allowing administrators...

2.3CVSS5.4AI score0.00235EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/09 11:44 p.m.10 views

CVE-2026-53674 BuddyPress 14.4.0 REGEXP Injection via @Mention Username Resolution

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit...

7.1CVSS5.5AI score0.00288EPSS
Exploits0References3
CVE
CVE
added 2026/06/09 11:44 p.m.27 views

CVE-2026-53674

CVE-2026-53674 affects BuddyPress 14.4.0. A regular expression injection in the activity mention resolver occurs when username compatibility mode is enabled, allowing an attacker to craft @mentions with regex metacharacters that pass esc_sql and are inserted into an unprepared REGEXP query on the...

7.1CVSS5.5AI score0.00288EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.15 views

PT-2026-48336

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit...

7.1CVSS5.5AI score0.00288EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:33 p.m.10 views

CVE-2026-45620

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

5.3CVSS5.4AI score0.00193EPSS
Exploits0References1
OSV
OSV
added 2026/06/01 12:0 a.m.12 views

ASB-A-488938763

Bulletin has no description...

6.7CVSS5.7AI score0.00146EPSS
Exploits0References1
NVD
NVD
added 2026/05/29 2:16 p.m.12 views

CVE-2026-45620

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

5.3CVSS0.00193EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/29 1:7 p.m.10 views

EUVD-2026-33307

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

5.3CVSS5.8AI score0.00193EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/29 1:7 p.m.14 views

CVE-2026-45620 AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

5.3CVSS5.8AI score0.0027EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/29 1:7 p.m.42 views

CVE-2026-45620 AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

5.3CVSS0.00193EPSS
Exploits0References1
Rows per page
Query Builder