33254 matches found
Kimai has an arbitrary file read in its invoice PDF renderer (admin)
Summary Users with the role System-Admin ROLESYSTEADMIN and the permission uploadinvoicetemplate can upload PDF invoice templates, which can call pdfContext.setOption'associatedfiles', ... inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles, whose writer calls...
Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order
Vulnerability Details CWE-79: Cross-site Scripting XSS The AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order: Vulnerable Code...
eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields
Summary eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators \n, \r, or \r\n and thereby forge additional SSE fields or entire messages on the...
OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured
Summary The OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANAENDPOINTPROXY environment variable. If a network attacker can Man-in-the-Middle MitM the...
Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size
Impact The Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook...
Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability
Summary The kanban npm package used by the cline CLI starts a WebSocket server on 127.0.0.1:3484 with no Origin header validation. Any website a developer visits can silently connect to the kanban server via WebSocket and: 1. Leak sensitive data in real-time: workspace filesystem paths, task...
banks has Critical Remote Code Execution (RCE) via Jinja2 SSTI
Summary banks = 2.4.1 uses jinja2.Environment unsandboxed to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt are vulnerable to Server-Side Template Injection SSTI, which can lead to Remote Code Execution RCE on the host system. This is a...
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
Impact Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: - @babel/plugin-transform-modules-systemjs - @babel/preset-env when using the modules: "systemjs" option, as it delegat...
Phoenix: Long-poll NDJSON body splitting causes large memory allocation
Summary An unauthenticated denial-of-service vulnerability in Phoenix's long-poll transport allows a remote client to allocate a large amount of memory with a HTTP request. A handful of concurrent requests can be sufficient to let the node run out of memory. See also...
Wagtail has improper permission handling when copying pages
Impact A CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once copied, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. Patche...
Wagtail has improper restriction handling on Documents and Images API
Impact The Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. Patches Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature releas...
Wagtail has improper permission handling when deleting form submissions
Impact A CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor...
Wagtail has improper permission handling when viewing page history
Impact A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. Patches Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix...
Wagtail has improper permission handling when comparing revisions
Impact A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. Patches Patched versions have been released as Wagtail 7.0...
@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry
Docker registry auth substring match forwards credentials to a different registry Repository cdxgen/cdxgen Affected product/package - Ecosystem: npm - Package: @cyclonedx/cdxgen - Reviewed tree version: 12.3.3 - Reviewed commit: b1e179869fd7c6032c3d483c3f7bd4d7154ec22b - Affected file:...
Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search
Unauthorized File and Knowledge Base Content Access via RAG Vector Search Affected Component RAG source resolution in chat completion pipeline: - backend/openwebui/retrieval/utils.py lines 963-965, 1063-1068, 1126-1131 in getsourcesfromitems Affected Versions Current main branch commit 6fdd19bf1...
Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels
Deactivated Channel Members Retain Full Access to Group/DM Channels Affected Component Channel membership authorization check: - backend/openwebui/models/channels.py lines 663-673, isuserchannelmember - Used at 15 locations in backend/openwebui/routers/channels.py Affected Versions Current main...
Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO
Read-Only Users Can Modify Collaborative Documents via Socket.IO Affected Component Socket.IO collaborative document editing handler: - backend/openwebui/socket/main.py lines 667-721, ydoc:document:update handler Affected Versions Current main branch and likely all versions with collaborative not...
Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show
Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show Affected Component Ollama proxy endpoints missing model access control: - backend/openwebui/routers/ollama.py lines 955-995, generatecompletion - backend/openwebui/routers/ollama.py lines 835-881, emb...
Open WebUI's Model Import Overwrites Any Model Without Ownership Check
Model Import Overwrites Any Model Without Ownership Check Affected Component Model import endpoint: - backend/openwebui/routers/models.py lines 254-308, importmodels Affected Versions Current main branch commit 6fdd19bf1 and likely all versions with model import functionality. Description The POS...
Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels
Missing Access Check on Channel Members Endpoint for Standard Channels Affected Component Channel members listing endpoint: - backend/openwebui/routers/channels.py lines 445-507, getchannelmembersbyid Affected Versions Current main branch and likely all versions with the channels feature...
Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
Global Knowledge Base Enumeration via knowledge-bases Meta-Collection Affected Component Retrieval collection access validation: - backend/openwebui/routers/retrieval.py lines 2330-2355, validatecollectionaccess - backend/openwebui/routers/retrieval.py query endpoints, e.g. POST /query/doc Affect...
Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite
Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite Affected Component Retrieval web/YouTube processing endpoints: - backend/openwebui/routers/retrieval.py lines 1810-1837, processweb - backend/openwebui/routers/retrieval.py the parallel processyoutube endpoint -...
Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants
Channel Access Grants Bypass filterallowedaccessgrants Affected Component Channel creation and update endpoints: - backend/openwebui/routers/channels.py lines 291-340, createnewchannel - backend/openwebui/routers/channels.py lines 617-638, updatechannelbyid - backend/openwebui/models/channels.py...
Open WebUI's responses passthrough endpoint lacks access control authorization
Summary The /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control. While the primary chat completion endpoint generatechatcompletion checks model ownership, group membership, and...
Open WebUI's Base Model Routing Bypasses Access Control via Model Chaining
Base Model Routing Bypasses Access Control via Model Chaining Affected Component Model chaining via basemodelid: - backend/openwebui/routers/models.py lines 170-214, createnewmodel - backend/openwebui/routers/models.py lines 254-308, importmodels - backend/openwebui/main.py lines 1696-1711, base...
Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning
Redis Cache Keys toolservers and terminalservers Missing Instance Prefix Enable Cross-Instance Cache Poisoning Affected Component Tool server and terminal server Redis cache: - backend/openwebui/utils/tools.py line 841, toolservers SET - backend/openwebui/utils/tools.py line 850, toolservers GET ...
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access
Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access Affected Component Socket.IO session state and role-check callsites: - backend/openwebui/socket/main.py lines 330-351, connect handler — role snapshotted into SESSIONPOOL - backend/openwebui/socket/main.py lin...
Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts
Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts Affected Component Folder creation endpoint and form model: - backend/openwebui/models/folders.py lines 72-77, FolderForm with extra='allow' - backend/openwebui/models/folders.py lines 95-106,...
Open WebUI has an LDAP Empty Password Authentication Bypass
LDAP Empty Password Authentication Bypass Affected Component LDAP authentication endpoint: - backend/openwebui/routers/auths.py lines 468-477, user bind with empty password - backend/openwebui/models/auths.py lines 58-60, LdapForm model Affected Versions Current main branch commit 6fdd19bf1 and...
Grav: Stored XSS via page title (data[header][title]) in admin panel
Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the dataheadertitle parameter. --- Details Vulnerable Endpoint: GET /admin/pages/page Parameter:...
MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys
Summary MikroORM's identifier-quoting helper Platform.quoteIdentifier and the postgres/mssql overrides and its JSON-path emitters Platform.getSearchJsonPropertyKey, quoteJsonKey did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When...
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
Impact fast-uri v3.1.1 and earlier decodes percent-encoded authority delimiters %40 as @, %3A as : inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host. For example,...
Zebra has Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning
Summary A composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems — all...
Bunsink has an SSRF bypass in `validate_webhook_url`
Summary Bugsink’s webhook URL validation in versions 2.1.2 and earlier could be partially bypassed because of a mismatch in URL parsing. In some malformed URLs, Python’s standard URL parser urllib and the HTTP client stack requests / urllib3 do not agree on which host is actually being targeted...
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585)
Summary The tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to messageElement.innerHTML in app/src/dialog/tooltip.ts:41. The encoder used at the producer side, escapeAriaLabel in...
open-webui Vulnerable to Stored XSS via Model Description
!IMPORTANT Relationship to CVE-2024-7990 CVE-2024-7990 issued by huntr.dev, March 2025 describes a stored XSS in the same field — the model description — but exploits a different bypass mechanism: a second-order injection through the sanitizeResponseContent function's video-tag placeholder...
Electerm users can run dangrous code through link or command line
Impact Arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Affected users: electerm installs that accept protocol URLs or CLI options affected versions listed in the original report. Exploit requires clicking a crafted electerm://... link or opening a crafted...
Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor
Impact A code execution RCE vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system editor or open with a custom editor, the filename is passed directly into a command line without sanitization. A...
Electerm's full process.env exposed to renderer via window.pre.env
Impact The getConstants IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer e.g., via the DevTools console or a compromised webview context...
Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click
Impact Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. When a user connects to a malicious SSH server, the attacker can print a crafted URI in the terminal output. If the victim clicks the link,...
Electerm runWidget has a path traversal that leads to arbitrary code execution
Impact The runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation: javascript const file = widget-$widgetId.js const widget = requirepath.joindirname, file Because runWidget is exposed to the...
absinthe_plug Has a Cross-site Scripting vulnerability
Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...
dash-uploader has a directory traversal vulnerability
Impact An unauthenticated path traversal vulnerability exists in dash-uploader versions 0.1.0 through 0.7.0a2. The library's HTTP request handler at dashuploader/httprequesthandler.py reads three form parameters uploadid, resumableFilename, resumableIdentifier from request.form.get and passes the...
Zebra v4.4.0 still accepts V5 SIGHASH_SINGLE without a corresponding output
Consensus Divergence in V5 Transparent SIGHASHSINGLE With No Corresponding Output Summary Zebra failed to enforce a ZIP-244 consensus rule for V5 transparent transactions: when an input is signed with SIGHASHSINGLE and there is no transparent output at the same index as that input, validation mus...
phpseclib guardrails needed on OID length
Impact Any application using that loads untrusted ASN1 files eg. X509 certificates, RSA PKCS8 private or public keys, etc. Patches https://github.com/phpseclib/phpseclib/commit/e32531001b4d62c66c3d824ccef54ffad835eb59 Workarounds No. Resources...
justhtml introduces denial-of-service hardening
Summary justhtml 1.18.0 fixes multiple low-severity denial-of-service hardening issues in CSS selector handling and linkification. These issues are availability concerns. They do not allow script execution, data disclosure, or sanitizer bypass by themselves. Affected versions - justhtml 1.18.0...
bitcoinj has a ScriptExecution P2PKH/P2WPKH Verification Bypass
Summary ScriptExecution.correctlySpends contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails to verify tha...
nhost has Session Persistence After Password Change
Description When a user changes their password, either through the authenticated password change endpoint or a password reset ticket, the ChangePassword workflow correctly hashes and persists the new password via UpdateUserChangePassword. However, it does not revoke existing sessions. The...
gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers
Summary CertVerifier.Verify in pkg/git/verifier.go unconditionally dereferences certs0 after sd.GetCertificates without checking the slice length. A CMS/PKCS7 signed message with an empty certificate set is a structurally valid DER payload; GetCertificates returns an empty slice with no error,...