EUVD-2026-34259

An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the...

CVE-2026-44554

Open WebUI (self-hosted AI) vulnerability: the POST /api/v1/retrieval/process/web endpoint accepts a user-controlled collection_name with overwrite defaulting to True, and performs no authorization check to verify write access. When overwrite is True, save_docs_to_vector_db calls VECTOR_DB_CLIENT...

CVE-2026-44554 Open WebUI: Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collectionname and an overwrite query parameter default: True. It performs no authorization check on whether t...

GHSA-393C-P46R-7C95 Directus: Path Traversal and Broken Access Control in File Management API

Summary A broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the filenamedisk parameter. Details The PATCH /files/id endpoint accepts a user-controlled filenamedisk...

Directus: Path Traversal and Broken Access Control in File Management API

Summary A broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the filenamedisk parameter. Details The PATCH /files/id endpoint accepts a user-controlled filenamedisk...

EUVD-2026-16482

Open WebUI's processfilesbatch endpoint missing ownership check, allows unauthorized file overwrite...

CVE-2026-28788 Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the POST /api/v1/retrieval/process/files/batch endpoint. The endpoint performs no ownership check, so a...

CVE-2025-64107

CVE-2025-64107 affects Cursor (open-source AI code editor). Versions 1.7.52 and earlier are vulnerable to path manipulation allowing RCE on Windows due to incomplete detection of backslash-based path operations, unlike the forward-slash checks that require approval. An attacker with prior control...

CVE-2024-51534

Dell PowerProtect DD vulnerable versions before DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.20 are affected by a path traversal flaw that could allow a local low-privileged attacker to overwrite OS files on the server filesystem, potentially causing denial of service. The concern is supported by multiple...

CVE-2024-51534

Dell PowerProtect DD versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.20 contain a path traversal vulnerability. A local low privileged could potentially exploit this vulnerability to gain unauthorized overwrite of OS files stored on the server filesystem. Exploitation could lead to denial o...

CVE-2020-8948

The Sierra Wireless Windows Mobile Broadband Driver Packages MBDP before build 5043 allows an unprivileged user to overwrite arbitrary files in arbitrary folders using hard links. An unprivileged user could leverage this vulnerability to execute arbitrary code with system privileges...

Unauthorized File Overwrite

keycloak-httpd-client-install is vulnerable to unauthorized file overwrite. Unsafe creation of log file in /tmp via the --log-file option in keycloakcli.py allows local attackers to overwrite other files via symbolic link...