Lucene search
K

7 matches found

CVE
CVE
added yesterday5 views

CVE-2026-59214

Open WebUI (self-hosted AI platform) before 0.10.0 is affected by a stored web worker XSS via Pyodide. The vulnerability arises when Pyodide runs in a same-origin web worker and stored chat payloads can cause authenticated same-origin requests through pyodide.http.pyfetch or the browser fetch/XML...

7.3CVSS6.1AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-59214

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue...

7.3CVSS6.1AI score
Exploits0References2Affected Software1
Cvelist
Cvelist
added yesterday6 views

CVE-2026-59214 Open WebUI: Stored web worker XSS via Pyodide

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue...

7.3CVSS
Exploits0References1
OSV
OSV
added 2026/05/06 11:34 p.m.7 views

GHSA-GPXG-FX2G-QXJ2 Kanidm: Stored HTML injection in "passkey-enrolment" partial via displayname → htmx-driven authenticated request forgery

Summary The kanidmd web UI renders the WebAuthn passkey-registration challenge as raw JSON inside an inline element using the Askama |safe filter. The challenge embeds the account's displayname, which serdejson serialises without escaping . A displayname containing therefore terminates the script...

6.1CVSS5.9AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/06 11:34 p.m.24 views

Kanidm: Stored HTML injection in "passkey-enrolment" partial via displayname → htmx-driven authenticated request forgery

Summary The kanidmd web UI renders the WebAuthn passkey-registration challenge as raw JSON inside an inline element using the Askama |safe filter. The challenge embeds the account's displayname, which serdejson serialises without escaping . A displayname containing therefore terminates the script...

5.9AI score
Exploits0References2Affected Software1
Filippo.io
Filippo.io
added 2025/08/13 3:50 p.m.8 views

Cross-Site Request Forgery

Cross-Site Request Forgery CSRF is a confused deputy attack where the attacker causes the browser to send a request to a target using the ambient authority of the user’s cookies or network position.1 For example, attacker.example can serve the following HTML to a victim and the browser will send ...

6.5AI score
Exploits0
ATTACKERKB
ATTACKERKB
added 2022/05/04 4:15 p.m.3 views

CVE-2021-43206

A server-generated error message containing sensitive information in Fortinet FortiOS 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.x, 6.0.x and FortiProxy 7.0.0 through 7.0.1, 2.0.x allows malicious webservers to retrieve a web proxy's client username and IP via same origin HTTP requests...

4.3CVSS5.8AI score0.00767EPSS
Exploits0References2
Rows per page
Query Builder