CVE-2026-44567

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is...

PT-2026-39283

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.1.124 Description An improper authorization control exists where the API fails to validate if a user possesses an authorized role of user or admin. When the platform is configured to allow new sign-ups, new...

CVE-2026-34384

Admidio vulnerability CVE-2026-34384: Before 5.0.8, the approval modes create_user, assign_member, and assign_user in modules/registration.php accepted GET-based requests with no CSRF validation, allowing an attacker with a pending registration and a rol_approve_users right to auto-approve or mer...

CVE-2026-29069

Craft is a content management system CMS. Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pendin...

EUVD-2026-9452

Craft CMS has unauthenticated activation email trigger with potential user enumeration...

Craft CMS has unauthenticated activation email trigger with potential user enumeration

The actionSendActivationEmail endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the...

GHSA-234Q-VVW3-MRFQ Craft CMS has unauthenticated activation email trigger with potential user enumeration

The actionSendActivationEmail endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the...

CVE-2026-29069

Craft is a content management system CMS. Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pendin...

CVE-2026-29069 Craft has an unauthenticated activation email trigger with potential user enumeration

Craft is a content management system CMS. Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pendin...

PT-2026-23006

Craft is a content management system CMS. Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pendin...

CVE-2025-35432

CVE-2025-35432 (CISA Thorium): Thorium versions prior to 1.1.1 did not rate limit account verification email requests, allowing a remote unauthenticated attacker to flood a user pending verification with unlimited messages. The issue is resolved in 1.1.1 by enabling a default rate limit of 10 min...