CVE-2026-45345

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This...

CVE-2026-44564

Open WebUI (self-hosted offline AI platform) contains a vulnerability in the ydoc:document:update Socket.IO handler that allows read-only users to modify in-memory Yjs documents. The handler validates room membership but does not verify write permission, and read-only users join the document room...

CVE-2026-7563

The CVE-2026-7563 entry concerns the WordPress plugin Classified Listing – AI-Powered Classified ads & Business Directory (versions up to and including 5.3.10). The vulnerability arises from missing authorization verification, enabling authenticated users with subscriber-level access or higher to...

CVE-2026-7563 Classified Listing <= 5.3.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via add_order_note and send_email_to_user_by_moderator AJAX Actions

The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it...

CVE-2026-8425

The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to ...

CVE-2026-31240

The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memoryid are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.5 contained security vulnerabilities. These vulnerabilities stemmed from the fact that the “fix” or “unfix” operations were write operations, but only read...

PT-2026-41377

Name of the Vulnerable Software and Affected Versions Crypt::DSA versions prior to 1.20 Description Crypt::DSA for Perl uses a 2-args open function, which can allow existing files to be modified. Recommendations Update to a version later than 1.19...

GHSA-WWHQ-CX22-F7VV Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint

Summary An IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members including administrators within the same channel. This vulnerability affects the latest version v0.8.12 of Open WebUI. Details In the updatemessagebyid...

CVE-2026-41315

mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modifycrond and /starttask interfaces, it is possible to modify the default built-in scheduled tasks and start...

CVE-2026-41315

CVE-2026-41315 : mdserver-web (Linux panel) versions 0.18.0–0.18.4 contain a front-end unauthenticated remote command execution vulnerability. The lack of authentication on the /modify_crond and /start_task interfaces allows an attacker to modify default built-in scheduled tasks and start them, r...

EUVD-2026-30362

mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modifycrond and /starttask interfaces, it is possible to modify the default built-in scheduled tasks and start...

CVE-2026-41315 mdserver-web: Missing Authorization and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modifycrond and /starttask interfaces, it is possible to modify the default built-in scheduled tasks and start...

CVE-2026-5396

The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions read, modify, delete, add notes based on a user-supplied formid quer...

CVE-2026-2900

GitLab EE patched a vulnerability where, if instance-level approval rule editing prevention was enabled, an authenticated Maintainer could modify or delete project approval rules due to missing authorization checks. Affected are GitLab EE versions: 16.10 before 18.9.7, 18.10 before 18.10.6, and 1...

CVE-2026-3829

The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'wplebasicgetrequests' function in all versions up to, and including, 7.8.5.10. This makes...

EUVD-2026-30228

The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'wplebasicgetrequests' function in all versions up to, and including, 7.8.5.10. This makes...

CVE-2026-5396

The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions read, modify, delete, add notes based on a user-supplied formid quer...

EUVD-2026-30232

The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions read, modify, delete, add notes based on a user-supplied formid quer...

PT-2026-40870

The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions read, modify, delete, add notes based on a user-supplied form id que...