|
111
|
7.7 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a Server-Side Request Forgery (SSRF) vulnerability exists in _process_picture_url() …
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45338
|
2026-05-16 08:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
112
|
8.5 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validate_url() in backend/open_webui/retrieval/web/utils.py calls validators.ipv6(ip…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45331
|
2026-05-16 08:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
113
|
9.1 |
CRITICAL
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session bind…
New
|
CWE-307
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-45010
|
2026-05-16 08:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
114
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, in standard channels (i.e., channels whose channel.type is neither group nor dm), th…
New
|
CWE-862
Missing Authorization
|
CVE-2026-44571
|
2026-05-16 08:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
115
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files.
Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized…
New
|
CWE-787
Out-of-bounds Write
|
CVE-2026-8669
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
116
|
5.3 |
MEDIUM
Local
|
-
|
-
|
Imager::File::GIF versions through 1.002 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files.
Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer G…
New
|
CWE-787
Out-of-bounds Write
|
CVE-2026-8454
|
2026-05-16 07:16 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
117
|
- |
|
-
|
-
|
Trog::TOTP versions before 1.006 for Perl generate secrets using rand.
Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
New
|
CWE-331
Insufficient Entropy
|
CVE-2026-46474
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
118
|
5.4 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, incl…
New
|
CWE-862
Missing Authorization
|
CVE-2026-46365
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
119
|
7.5 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attac…
New
|
CWE-89
SQL Injection
|
CVE-2026-46359
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
120
|
8.0 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE …
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-45671
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
