728307 matches found
EUVD-2026-37728
A flaw was found in 389 Directory Server in the aclpnormalizeacltxt function of aclparse.c. A malformed ACI Access Control Instruction string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after...
CVE-2026-12528 389-ds-base: 389-ds-base: heap-buffer-overflows in __aclp__normalize_acltxt()
A flaw was found in 389 Directory Server in the aclpnormalizeacltxt function of aclparse.c. A malformed ACI Access Control Instruction string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after...
CVE-2026-12528
A flaw was found in 389 Directory Server in the aclpnormalizeacltxt function of aclparse.c. A malformed ACI Access Control Instruction string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after...
CVE-2026-12528 389-ds-base: 389-ds-base: heap-buffer-overflows in __aclp__normalize_acltxt()
A flaw was found in 389 Directory Server in the aclpnormalizeacltxt function of aclparse.c. A malformed ACI Access Control Instruction string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after...
GHSA-V2QM-5WXJ-QHJ7 Open WebUI: Stored XSS to Account Takeover via Model Profile Images
Stored XSS to Account Takeover via Model Profile Images in Open WebUI Affected: Open WebUI tags. On the output side, users.py added a MIME allowlist check and X-Content-Type-Options: nosniff. The fix was applied to UserUpdateForm, UpdateProfileForm, and later to ChannelWebhookForm. Three models...
Open WebUI: Stored XSS to Account Takeover via Model Profile Images
Stored XSS to Account Takeover via Model Profile Images in Open WebUI Affected: Open WebUI tags. On the output side, users.py added a MIME allowlist check and X-Content-Type-Options: nosniff. The fix was applied to UserUpdateForm, UpdateProfileForm, and later to ChannelWebhookForm. Three models...
GHSA-3VV5-8XXP-4F55 Open WebUI: Cross-origin postMessage confirmation bypass via action:submit
Summary The chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthoriz...
Open WebUI: Cross-origin postMessage confirmation bypass via action:submit
Summary The chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthoriz...
GHSA-F3G7-59QC-PQG6 Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar
Summary POST /api/v1/calendars/events/eventid/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendarid supplied in the request body. The model layer then persists the new calendarid unconditionally. A regula...
Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar
Summary POST /api/v1/calendars/events/eventid/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendarid supplied in the request body. The model layer then persists the new calendarid unconditionally. A regula...
GHSA-HMCR-RMJQ-47QR NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
Summary The spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv for example...
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
Summary The spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv for example...
GHSA-6MHR-74X2-98V9 NocoDB: Stored Cross-Site Scripting via Secure Attachment
Summary With NCSECUREATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. Details The signed attachment handler stored response-header overrides under PascalCase keys...
NocoDB: Stored Cross-Site Scripting via Secure Attachment
Summary With NCSECUREATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. Details The signed attachment handler stored response-header overrides under PascalCase keys...
GHSA-GPRH-27J3-G5H4 NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
Summary The spreadsheet-fetch endpoint axiosRequestMake accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL...
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
Summary The spreadsheet-fetch endpoint axiosRequestMake accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL...
CVE-2026-11311 NGINX Gateway Fabric vulnerability
When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the...
CVE-2026-11311 NGINX Gateway Fabric vulnerability
When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the...
CVE-2026-11311
CVE-2026-11311 affects NGINX Gateway Fabric when used with NGINX Plus. The vulnerability resides in the NGINX configuration generator: user-supplied values from the NginxProxy CRD serverTokens field and the AuthenticationFilter CRD extraAuthArgs field are rendered directly into NGINX configuratio...
EUVD-2026-37720
When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the...