|
171
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils…
New
|
CWE-611
XXE
|
CVE-2026-39053
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
172
|
6.5 |
MEDIUM
Network
|
getoutline
|
outline
|
Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A…
Update
|
CWE-352
Origin Validation Error
|
CVE-2026-44695
|
2026-05-16 05:21 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
173
|
8.7 |
HIGH
Network
|
dani-garcia
|
vaultwarden
|
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as grou…
Update
|
CWE-285
Improper Authorization
|
CVE-2026-43912
|
2026-05-16 05:19 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
174
|
7.6 |
HIGH
Network
|
-
|
-
|
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter …
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-46408
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
175
|
7.1 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks acr…
New
|
CWE-862
Missing Authorization
|
CVE-2026-45399
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
176
|
7.1 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API …
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-45349
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
177
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-45339
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
178
|
9.1 |
CRITICAL
Network
|
-
|
-
|
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The end…
New
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-45053
|
2026-05-16 05:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
179
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the ydoc:document:update Socket.IO event handler checks whether the sender is a memb…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-44564
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
180
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any m…
New
|
CWE-862
Missing Authorization
|
CVE-2026-44563
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
