6125 matches found
Simple Task Managing System v1.0 - SQL Injection
SQL injection occurs when a web application doesn't properly validate or sanitize user input that is used in SQL queries. Attackers can exploit this by injecting malicious SQL code into the input fields of a web application, tricking the application into executing unintended database queries. id:...
CVE-2026-15557
A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This...
CVE-2026-15557 waooAI waoowaoo Internal Task Header api-auth.ts requireProjectAuthLight improper authentication
A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This...
CVE-2026-15557
CVE-2026-15557 affects waooAI waoowaoo up to version 0.4.1. The vulnerability resides in the Internal Task Header Handler’s API-auth logic (functions getInternalTaskSession, getAuthSession, requireUserAuth, requireProjectAuth, requireProjectAuthLight in src/lib/api-auth.ts). Malicious manipulatio...
CVE-2026-15499
A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/crontools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload"note" results in improper authorization...
CVE-2026-15499
AstrBotDevs AstrBot (versions up to 4.25.2) contains a vulnerability in the function FutureTaskTool.call (astrbot/core/tools/cron_tools.py). Manipulating payload["note"] leads to improper authorization, enabling remote exploitation. Public exploit availability is reported. No remediation details ...
Unbreakable Enterprise kernel security update
5.15.0-322.203.3.3 - locking/rtmutex: Skip removewaiter when waiter is not enqueued Davidlohr Bueso Orabug: 39706512 - rtmutex: Use waiter::task instead of current in removewaiter Keenan Dong Orabug: 39706512 CVE-2026-43499 5.15.0-322.203.3.2 - KVM: x86/mmu: Ensure hugepage is in by slot before...
Unbreakable Enterprise kernel security update
5.4.17-2136.357.3.2 - locking/rtmutex: Skip removewaiter when waiter is not enqueued Davidlohr Bueso Orabug: 39706958 - rtmutex: Use waiter::task instead of current in removewaiter Keenan Dong Orabug: 39706958 CVE-2026-43499 5.4.17-2136.357.3.1 - KVM: x86: Fix shadow paging use-after-free due to...
Important: kernel
Issue Overview: In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in removewaiter CVE-2026-43499 Affected Packages: kernel Note: This advisory is applicable to Amazon Linux 2 - Kernel-5.10 Extra. Visit this page to learn more about...
Important: kernel
Issue Overview: In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in removewaiter CVE-2026-43499 Affected Packages: kernel Note: This advisory is applicable to Amazon Linux 2 - Kernel-5.4 Extra. Visit this page to learn more about...
CVE-2026-59225
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The...
CVE-2026-59225 Open WebUI: Arena task endpoints can bypass underlying model access controls
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The...
CVE-2026-59225
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The...
CVE-2026-59225
Open WebUI vulnerability CVE-2026-59225 affects versions 0.8.12 up to before 0.10.0. An authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model via task endpoints like /api/v1/tasks/moa/completions. The normal chat flow re-checks submodel ac...
EUVD-2026-42639
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The...
PT-2026-56888
Name of the Vulnerable Software and Affected Versions Open WebUI versions 0.8.12 through 0.9.x Description An authenticated non-admin user with read access to an arena wrapper model can access a restricted underlying model. This occurs because task endpoints, such as...
CVE-2026-14891
HashiCorp Nomad and Nomad Enterprise are vulnerable to a sandbox escape in the Docker task driver that may allow a job submitter to bind-mount a host path into a container even when volume bind mounts are disabled, potentially leading to reading and writing files on the host. This vulnerability,...
CVE-2026-14891
HashiCorp Nomad and Nomad Enterprise are affected by a sandbox escape in the Docker task driver that can allow a job submitter to bind-mount a host path into a container, potentially enabling reading/writing host files even when volume bind mounts are disabled. Affected versions include Nomad Com...
CVE-2026-53951 Copier: trust-prefix bypass via path traversal runs tasks unprompted
Copier is a library and CLI app for rendering project templates. In versions 9.5.0 through 9.15.1, the trust setting's prefix match copier/settings.py compares the template URL against a trusted prefix with a raw str.startswith and no path normalization, while the URL is normalized when the...
kernel: procfs: fix missing RCU protection when reading real_parent in do_task_stat()
A flaw was found in the Linux kernel's procfs component. When reading /proc/pid/stat, the dotaskstat function accesses task-realparent without proper Read-Copy-Update RCU protection. This missing protection creates a race condition, which can lead to a Use-After-Free UAF vulnerability. A local...