|
1621
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.11, there is a blind server side request forgery (SSRF) via the PDF generate function. …
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45347
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1622
|
7.1 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass to…
|
CWE-862
Missing Authorization
|
CVE-2026-45350
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1623
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into the application, a http://IP:8080/api/mode…
|
CWE-200
Information Exposure
|
CVE-2026-45351
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1624
|
4.3 |
MEDIUM
Network
|
dovecot
open-xchange
|
dovecot
|
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is lim…
|
CWE-284
NVD-CWE-noinfo
Improper Access Control
|
CVE-2026-40020
|
2026-05-19 02:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1625
|
5.3 |
MEDIUM
Adjacent
|
dovecot
open-xchange
|
dovecot
|
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the c…
|
CWE-99
Resource Injection
|
CVE-2026-33603
|
2026-05-19 02:35 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1626
|
6.5 |
MEDIUM
Network
|
dovecot
open-xchange
|
dovecot
|
Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to deg…
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-40016
|
2026-05-19 02:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1627
|
8.2 |
HIGH
Network
|
-
|
-
|
PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database conte…
|
CWE-89
SQL Injection
|
CVE-2021-47966
|
2026-05-19 02:33 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1628
|
6.1 |
MEDIUM
Network
|
-
|
-
|
PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers …
|
CWE-79
Cross-site Scripting
|
CVE-2021-47967
|
2026-05-19 02:33 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1629
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared …
|
CWE-863
Incorrect Authorization
|
CVE-2026-28759
|
2026-05-19 02:32 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1630
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cau…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-2325
|
2026-05-19 02:32 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
