Lucene search
K

4984 matches found

EUVD
EUVD
added 2026/06/30 8:22 p.m.7 views

EUVD-2025-210382

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a...

6.4CVSS5.5AI score0.00257EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-54170

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description Insufficient validation of untrusted input in the WebUI allows a remote attacker to leak cross-origin data through malicious network traffic. Cross-origin data leakage occurs when a...

9.8CVSS6AI score0.00413EPSS
Exploits0References447
OSV
OSV
added 2026/06/27 12:0 a.m.4 views

OPENSUSE-SU-2026:11128-1 agama-web-ui-22+143.ee15dea20-46.1 on GA media

These are all security issues fixed in the agama-web-ui-22+143.ee15dea20-46.1 package on the GA media of openSUSE Tumbleweed...

7.5CVSS5.8AI score0.00294EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/26 8:34 p.m.15 views

EUVD-2026-37516

Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication...

9.3CVSS5.8AI score0.00324EPSS
Exploits0References3
Chainguard
Chainguard
added 2026/06/26 8:23 p.m.11 views

GHSA-JM82-FX9C-MX94 vulnerabilities

Vulnerabilities for packages: nemo, open-webui...

6.1AI score
Exploits0
Wolfi
Wolfi
added 2026/06/26 8:22 p.m.8 views

CVE-2026-54531 vulnerabilities

Vulnerabilities for packages: open-webui...

6.9CVSS5.8AI score0.00123EPSS
Exploits0
OSV
OSV
added 2026/06/25 10:34 p.m.3 views

GO-2026-5632 Pelican Web UI Affected by a Privilege Escalation Attack in github.com/pelicanplatform/pelican

Pelican Web UI Affected by a Privilege Escalation Attack in github.com/pelicanplatform/pelican...

9CVSS5.8AI score0.0032EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/24 12:0 a.m.4 views

Oracle Linux 9 : pcs (ELSA-2026-19167)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-19167 advisory. 0.11.11-2.el98.1 - Fixed CVE-2026-4800 by updating pcs-web-ui to 0.1.24.3 Resolves: RHEL-164206 Tenable has extracted the preceding description block directly...

9.8CVSS6.9AI score0.01735EPSS
Exploits0References2
NVD
NVD
added 2026/06/23 6:18 p.m.10 views

CVE-2026-54014

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, a path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache...

4.3CVSS0.00244EPSS
Exploits1References1
OSV
OSV
added 2026/06/23 4:51 p.m.3 views

CVE-2026-54007 Open WebUI: Cross-origin postMessage confirmation bypass via action:submit

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt in an authenticated victim...

7.1CVSS6AI score0.00162EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/06/23 4:45 p.m.41 views

CVE-2026-54014 Open WebUI: Sibling-Prefix Path Traversal via /cache/{path} in open-webui/open-webui

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, a path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache...

4.3CVSS0.00244EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/22 2:9 p.m.31 views

CVE-2026-11372 IBM TRIRIGA Cross-Site Scripting Vulnerability

IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

5.4CVSS0.00165EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/18 9:9 p.m.31 views

CVE-2026-54017 Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the terminal-server reverse proxy in backend/openwebui/routers/terminals.py does not fully confine the user-controlled path segment before forwarding it to an admin-configured termin...

7.7CVSS0.00349EPSS
Exploits0References1
OSV
OSV
added 2026/06/17 2:16 p.m.7 views

GHSA-4R4W-2WGP-W7CJ Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion

Summary Open WebUI's prompt version-history endpoints authorize the promptid in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt historyentry.promptid == prompt.id. Three operations are affected: - GET...

6.4CVSS5.7AI score0.00169EPSS
Exploits1References2
OSV
OSV
added 2026/06/17 2:12 p.m.8 views

GHSA-VRHC-3FR6-PC3C Open WebUI: Forged chat-file link allows cross-user file read and deletion

Summary Open WebUI v0.9.5 lets an authenticated user attach arbitrary fileid values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, hasaccesstofile treats the victim file as accessible...

8.3CVSS5.6AI score0.00241EPSS
Exploits1References4
OSV
OSV
added 2026/06/17 2:9 p.m.5 views

GHSA-F3G7-59QC-PQG6 Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar

Summary POST /api/v1/calendars/events/eventid/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendarid supplied in the request body. The model layer then persists the new calendarid unconditionally. A regula...

4.3CVSS5.4AI score0.00179EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2026/06/16 12:0 a.m.13 views

Cisco Catalyst SD-WAN Manager Arbitrary File Write (cisco-sa-sdwan-arbfw-c2rZvQ)

According to its self-reported version, Cisco SD-WAN Viptela Software is affected by a vulnerability. - A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem o...

6.5CVSS6.2AI score0.07683EPSS
Exploits2References3
Wolfi
Wolfi
added 2026/06/15 8:35 p.m.8 views

GHSA-248M-82V9-Q6G6 vulnerabilities

Vulnerabilities for packages: open-webui...

5.2AI score
Exploits0
Wolfi
Wolfi
added 2026/06/15 8:35 p.m.10 views

GHSA-CJ93-CHG6-VGV8 vulnerabilities

Vulnerabilities for packages: open-webui...

5.2AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/06/12 6:30 p.m.27 views

nebula-mesh: POST /api/v1/hosts/{id}/mobile-bundle response lacks Cache-Control: no-store

internal/api/mobilebundle.go:62-66 sets only Content-Type: application/yaml. The Web-UI sibling at internal/web/handlers.go:1316-1321 sets Cache-Control: no-store, Pragma: no-cache, Expires: 0, X-Content-Type-Options: nosniff — and has a test asserting it. The API path was missed. Affected All...

5.3AI score
Exploits0References3Affected Software1
Rows per page
Query Builder