|
221
|
7.3 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting (XSS) vulnerability that allows any authenticated user…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-44721
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
222
|
4.8 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overl…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-44568
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
223
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the is_user_channel_member function checks whether a ChannelMember row exists but do…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-44561
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/{id}/members endpoint only checks membership for group and …
New
|
CWE-862
Missing Authorization
|
CVE-2026-44559
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
225
|
7.6 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI supports model composition via base_model_id: a user-defined model (e.g.,…
New
|
CWE-862
Missing Authorization
|
CVE-2026-44555
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
226
|
8.1 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to discon…
New
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-44553
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
227
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks…
Update
|
CWE-444
HTTP Request Smuggling
|
CVE-2026-42585
|
2026-05-16 06:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
228
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils…
New
|
CWE-611
XXE
|
CVE-2026-39053
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
229
|
6.5 |
MEDIUM
Network
|
getoutline
|
outline
|
Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A…
Update
|
CWE-352
Origin Validation Error
|
CVE-2026-44695
|
2026-05-16 05:21 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
230
|
8.7 |
HIGH
Network
|
dani-garcia
|
vaultwarden
|
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as grou…
Update
|
CWE-285
Improper Authorization
|
CVE-2026-43912
|
2026-05-16 05:19 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
