Lucene search
K

537 matches found

Fedora
Fedora
added 2026/05/25 12:51 a.m.17 views

[SECURITY] Fedora 44 Update: aw-server-rust-0.14.0^20260516.gitdf49b3d-1.fc44

A re-implementation of aw-server in Rust...

5.8AI score
Exploits0
CNNVD
CNNVD
added 2026/05/25 12:0 a.m.9 views

GNU LibreDWG 安全漏洞

GNU LibreDWG is a C language library for working with DWG files from the US GNU community. A security vulnerability exists in GNU LibreDWG version 0.14 and earlier versions, which stems from a heap buffer overflow in the decompressR2004section function of the src/decode.c file in the Dwgread...

5.3CVSS6.2AI score0.00154EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/05/19 7:57 a.m.10 views

CVE-2026-45675

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, line...

8.1CVSS5.9AI score0.00354EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/19 12:0 a.m.31 views

CVE-2026-39250

An authorization vulnerability exists in Innoshop 0.6.0. After logging into the frontend, an attacker can directly access backend application interfaces, leading to further dangerous operations...

0.00248EPSS
Exploits0References2
OSV
OSV
added 2026/05/18 1:23 p.m.11 views

CLEANSTART-2026-OH43332 Security fixes for CVE-2022-29526, CVE-2025-47907, CVE-2025-61726, CVE-2025-61727, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-68121, CVE-2026-24515, CVE-2026-25210, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501, ghsa-4f99-4q7p-p3gh applied in versions: 0.10-r0, 0.10-r1, 0.10-r2, 0.10-r3, 0.10-r4, 0.10-r5, 0.11-r0

Multiple security vulnerabilities affect the druid-exporter-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

10CVSS7AI score0.02593EPSS
Exploits5References62
OSV
OSV
added 2026/05/18 1:4 p.m.3 views

CLEANSTART-2026-XJ06210 Security fixes for CVE-2025-61727, CVE-2025-61729, CVE-2026-24051, CVE-2026-25679, CVE-2026-27137, CVE-2026-27138, CVE-2026-27139, CVE-2026-27142, CVE-2026-29181, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33186, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-34986, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-39883, CVE-2026-42499 applied in versions: 0.18.0-r0

Multiple security vulnerabilities affect the restic package. These issues are resolved in later releases. See references for individual vulnerability details...

9.1CVSS5.8AI score0.01557EPSS
Exploits5References53
EUVD
EUVD
added 2026/05/18 6:34 a.m.13 views

EUVD-2026-30739

Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the setadd method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue...

5.8AI score0.00306EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/15 9:17 p.m.9 views

CVE-2026-45345 Open WebUI: Missing authorization check at the model update function - models from other users can be updated

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This...

6.5CVSS5.8AI score0.00226EPSS
Exploits1References1
NVD
NVD
added 2026/05/15 8:16 p.m.18 views

CVE-2026-44558

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filterallowedaccessgrants on either create or update paths. A non-admin user who can create group channels or who owns a channel can submit arbitrary...

5.4CVSS0.0019EPSS
Exploits1References1
CVE
CVE
added 2026/05/15 8:0 p.m.24 views

CVE-2026-44550

Open WebUI prior to 0.9.0 vulnerable to mass assignment via Pydantic extra='allow' in FolderForm. The server constructs a FolderModel by merging attacker-controlled extra fields (from form_data.model_dump(exclude_unset=True)) over a server-populated user_id, and because user_id is a real field, a...

5CVSS6AI score0.00287EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/05/15 7:28 p.m.35 views

CVE-2026-44563 Open WebUI: Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any model name from the user and forward the request to the Ollama backend without checking whether the...

5.4CVSS0.00238EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/15 7:22 p.m.13 views

CVE-2026-45331 Open WebUI: Full SSRF Vulnerability in the RAG Web Search Feature

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validateurl in backend/openwebui/retrieval/web/utils.py calls validators.ipv6ip, private=True, but the validators library does NOT implement the private keyword for IPv6 — the call...

8.5CVSS5.8AI score0.00286EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/15 7:21 p.m.8 views

CVE-2026-45339 Open WebUI: API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-...

6.5CVSS5.8AI score0.00309EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/15 4:4 p.m.24 views

EUVD-2026-30559

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a...

5.5CVSS5.8AI score0.0061EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/14 8:26 p.m.8 views

Incorrect Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Incorrect Authorization through the updatetoolsbyid handler in routers/tools.py. An attacker can execute arbitrary Python code on the server by sending a tool update that modifies the tool's content after...

8.8CVSS6.2AI score0.00437EPSS
Exploits1References2
NVD
NVD
added 2026/05/11 6:16 p.m.15 views

CVE-2026-42859

Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach the VNC listening socket can send a crafted security type 5 RSA-AES or security type 129 RSA-AES-25...

9.3CVSS0.0055EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/10 12:0 a.m.14 views

PT-2026-39533

Name of the Vulnerable Software and Affected Versions Plack::Middleware::Statsd versions prior to 0.9.0 Description Plack::Middleware::Statsd for Perl may leak user IP addresses. This occurs if the communication channel to the statsd daemon is not secured, such as when sending UDP packets to a ho...

5.3CVSS5.8AI score0.00219EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/05/08 10:2 p.m.5 views

CVE-2026-42224

ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no...

7.6CVSS5.7AI score0.00259EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/05/08 9:12 p.m.31 views

CVE-2026-42193 Plunk: SNS webhook forgery

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhoo...

9.1CVSS0.00127EPSS
Exploits0References2
NVD
NVD
added 2026/05/08 4:16 a.m.30 views

CVE-2026-42273

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host...

7.8CVSS0.00301EPSS
Exploits0References4
Rows per page
Query Builder