|
241
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enfo…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-44557
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
242
|
7.1 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forw…
New
|
CWE-284
CWE-862
Improper Access Control
Missing Authorization
|
CVE-2026-44556
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
243
|
8.1 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_n…
New
|
CWE-862
Missing Authorization
|
CVE-2026-44554
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
244
|
8.7 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When t…
New
|
CWE-668
Exposure of Resource to Wrong Sphere
|
CVE-2026-44552
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
245
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the submitted password is no…
New
|
CWE-287
Improper Authentication
|
CVE-2026-44551
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
246
|
5.0 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fi…
New
|
CWE-862
Missing Authorization
|
CVE-2026-44550
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
247
|
6.1 |
MEDIUM
Network
|
-
|
-
|
CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.p…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-44376
|
2026-05-16 05:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
248
|
- |
|
-
|
-
|
ORSEE (Online Recruitment System for Economic Experiments) 3.1.0 contains an authenticated Remote Code Execution vulnerability in the participant profile field processing subsystem. Certain field con…
New
|
-
|
CVE-2025-67031
|
2026-05-16 05:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
249
|
5.3 |
MEDIUM
Network
|
fleetdm
|
fleet
|
Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authentic…
New
|
CWE-290
Authentication Bypass by Spoofing
|
CVE-2026-24000
|
2026-05-16 05:05 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
250
|
9.8 |
CRITICAL
Network
|
mozilla
|
firefox
|
Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3.
Update
|
CWE-693
Protection Mechanism Failure
|
CVE-2026-8401
|
2026-05-16 05:05 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
