CVE-2026-45345 Open WebUI: Missing authorization check at the model update function - models from other users can be updated

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This...

CVE-2026-3995

CVE-2026-3995 concerns the OPEN-BRAIN WordPress plugin (versions up to 0.5.0). The vulnerability arises in the API Key settings field, where insufficient input sanitization and output escaping allow an authenticated Administrator to inject stored cross-site scripting payloads. Specifically, sanit...

CVE-2026-3995

The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitizetextfield which strips HTML tags but does not...

PT-2026-26167

Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch server-side, and returns the...

MyClub 安全漏洞

MyClub is a club management software for jibux individual developers. A security vulnerability exists in MyClub version 0.5, which stems from insufficient cleanup of query parameter inputs and could lead to an SQL injection attack...

PrivateGPT 跨站脚本漏洞

PrivateGPT is an AI project open-sourced by Zylon. A cross-site scripting vulnerability exists in PrivateGPT version v0.5.0, which stems from cross-site scripting during file uploads, which allows an attacker to upload a malicious SVG file and execute JavaScript when the victim clicks on the file...

PT-2024-18240 · Garo · Garo Wallbox Glb+ T2Ev7

Name of the Vulnerable Software and Affected Versions: GARO WALLBOX GLB+ T2EV7 version 0.5 Description: A problematic issue was found in the Software Update Handler component, affecting an unknown part of the file /index.jspsettings. The manipulation of the Reference argument leads to cross-site...

CVE-2023-25309

Cross Site Scripting XSS Vulnerability in Fetlife rollout-ui version 0.5, allows attackers to execute arbitrary code via a crafted url to the delete a feature functionality...

@acanto/components (>=0.0.2 <=0.0.73), @acanto/components-header-subnav (>=0.0.2 <=0.0.37) +51 more potentially affected by CVE-2021-23702 via object-extend (=0.5.0)

object-extend NPM version =0.5.0 is affected by a known vulnerability. The following packages have a transitive dependency on object-extend and may be impacted: - @acanto/components =0.0.2, =0.0.2, =0.0.2, =0.0.3, =0.0.2, =0.0.2, =0.0.17, =0.0.2, =0.0.2, =0.0.65, =0.0.2, =0.0.2, =0.0.2, =0.0.4,...