|
151
|
5.4 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass san…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-46360
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
152
|
8.1 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) patt…
New
|
CWE-269
CWE-362
Improper Privilege Management
Race Condition
|
CVE-2026-45675
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
153
|
8.8 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.12, the /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-45672
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
154
|
- |
|
-
|
-
|
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, This vulnerability is fixed in 1.0.8.3.
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-45616
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
155
|
8.5 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validate_url() function in backend/open_webui/retrieval/web/utils.py only valida…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45401
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
156
|
7.5 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name pr…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-45398
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
157
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticate…
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-45397
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
158
|
7.2 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint (POST /api/v1/tools/id/{id}/update) is missing the workspac…
New
|
CWE-269
CWE-862
Improper Privilege Management
Missing Authorization
|
CVE-2026-45395
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
159
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Reserved. Details will be published at disclosure.
Update
|
CWE-20
Improper Input Validation
|
CVE-2026-45393
|
2026-05-16 06:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
160
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation (modifies the message's is_pinned , pinned_by, pinned…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-45386
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
