CVE-2026-34222

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11...

CVE-2026-34222

Affected product: Open WebUI, a self-hosted offline AI platform. Issue: broken access control in tool values prior to version 0.8.11. Impact: potential exposure due to access control bypass; CVSS 3.1 base score 7.7 (HIGH) with Network attack vector, low privileges required, no user interaction, c...

PT-2026-29571

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11...

redux-queue-offline (=0.4.1) potentially affected by CVE-2025-13465 +1 more via lodash.unset (=4.0.2)

lodash.unset NPM version =4.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on lodash.unset and may be impacted: - redux-queue-offline =0.4.1 Source cves: CVE-2025-13465, CVE-2026-2950 Source advisory: SNYK:JS-LODASHUNSET-15869620...

Important: Red Hat Security Advisory: General availability of the satellite/iop-advisor-frontend-rhel9 container image

A new satellite/iop-advisor-frontend-rhel9 container image is now generally available in the Red Hat container registry. Red Hat Lightspeed in Satellite analyzes system health and configuration by applying predefined rules to a small set of local data, such as installed packages, running services...

EUVD-2026-17419

A directory traversal vulnerability in the agentic-context-engine project versions up to 0.7.1 allows arbitrary file writes via the checkpointdir parameter in OfflineACE.run. The savetofile method in ace/skillbook.py fails to normalize or validate filesystem paths, allowing traversal sequences to...

CVE-2026-29870

A directory traversal vulnerability in the agentic-context-engine project versions up to 0.7.1 allows arbitrary file writes via the checkpointdir parameter in OfflineACE.run. The savetofile method in ace/skillbook.py fails to normalize or validate filesystem paths, allowing traversal sequences to...

poc-studio-public

Nuclei Offline GUI This is a pure offline desktop prototype,...

CVE-2026-29870

A directory traversal vulnerability in the agentic-context-engine project versions up to 0.7.1 allows arbitrary file writes via the checkpointdir parameter in OfflineACE.run. The savetofile method in ace/skillbook.py fails to normalize or validate filesystem paths, allowing traversal sequences to...

CVE-2026-29071

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via /api/v1/retrieval/query/collection. Version 0.8.6 patches the issue...

EUVD-2026-16486

Open WebUI's Insecure Direct Object Reference IDOR allows access to other users' memories...

EUVD-2026-16484

Open WebUI has unauthorized deletion of knowledge files...

EUVD-2026-16482

Open WebUI's processfilesbatch endpoint missing ownership check, allows unauthorized file overwrite...

CVE-2026-33763

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the getapivideopasswordiscorrect API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field...

CVE-2026-29071

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via /api/v1/retrieval/query/collection. Version 0.8.6 patches the issue...

CVE-2026-29070

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base or is admin,...

CVE-2026-33041

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password...

CVE-2026-23353

A flaw was found in the Linux kernel's ice network driver. When a local user performs an ethtool offline loopback test, the system can experience a kernel null pointer dereference. This occurs because the libeth library for the receive ring is not properly initialized. Successful exploitation of...

CVE-2026-23332

A flaw was found in the Linux kernel's intelpstate cpufreq driver. A local user can trigger a system crash, leading to a Denial of Service DoS, by attempting to disable the CPU turbo feature through the sysfs interface. This vulnerability occurs on systems booted with specific kernel arguments li...

CVE-2026-23332

In the Linux kernel, the following vulnerability has been resolved: cpufreq: intelpstate: Fix crash during turbo disable When the system is booted with kernel command line argument "nosmt" or "maxcpus" to limit the number of CPUs, disabling turbo via: echo 1...