|
311
|
5.4 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to…
Update
|
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2026-45396
|
2026-05-19 21:20 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
312
|
5.3 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticate…
Update
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-45397
|
2026-05-19 21:19 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
313
|
7.5 |
HIGH
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name pr…
Update
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-45398
|
2026-05-19 21:18 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
314
|
- |
|
-
|
-
|
In the Linux kernel, the following vulnerability has been resolved:
crypto: pcrypt - Fix handling of MAY_BACKLOG requests
MAY_BACKLOG requests can return EBUSY. Handle them by checking
for that va…
New
|
-
|
CVE-2026-43493
|
2026-05-19 21:16 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
315
|
- |
|
-
|
-
|
In the Linux kernel, the following vulnerability has been resolved:
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
Yiming reports an integer underflow in mpi_read_raw_from_sgl() …
New
|
-
|
CVE-2026-43492
|
2026-05-19 21:16 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
316
|
- |
|
-
|
-
|
In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: ns: Limit the maximum server registration per node
Current code does no bound checking on the number of servers added …
New
|
-
|
CVE-2026-43491
|
2026-05-19 21:16 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
317
|
8.5 |
HIGH
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, a parsing difference between the urlparse and requests libraries led to an SSRF bypa…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45400
|
2026-05-19 21:08 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
318
|
8.5 |
HIGH
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validate_url() function in backend/open_webui/retrieval/web/utils.py only valida…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45401
|
2026-05-19 21:07 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
319
|
8.8 |
HIGH
Network
|
huggingface
|
diffusers
|
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from Hu…
Update
|
CWE-94
Code Injection
|
CVE-2026-44827
|
2026-05-19 12:20 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
320
|
8.8 |
HIGH
Network
|
huggingface
|
diffusers
|
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user p…
Update
|
CWE-94
Code Injection
|
CVE-2026-44513
|
2026-05-19 12:18 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
