|
1631
|
8.8 |
HIGH
Network
|
-
|
-
|
Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with I…
|
CWE-22
Path Traversal
|
CVE-2026-57296
|
2026-06-25 23:01 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1632
|
5.4 |
MEDIUM
Network
|
-
|
-
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers to have Jenkins connect to an attacker-specified URL usi…
|
CWE-352
Origin Validation Error
|
CVE-2026-57298
|
2026-06-25 23:01 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1633
|
4.3 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/v1/calendars/events/{event_id}/update validates that the caller has write …
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-54006
|
2026-06-25 22:41 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1634
|
8.5 |
HIGH
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, backend/open_webui/utils/oauth.py::_process_picture_url calls validate_url(picture_u…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-54008
|
2026-06-25 22:35 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1635
|
6.5 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/chat/completions accepts an image_url.url value that, when it does NOT sta…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-54009
|
2026-06-25 22:35 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1636
|
8.3 |
HIGH
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated user attach arbitrary file_id values to their own c…
|
CWE-284
CWE-639
CWE-862
Improper Access Control
Authorization Bypass Through User-Controlled Key
Missing Authorization
|
CVE-2026-54010
|
2026-06-25 22:34 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1637
|
5.4 |
MEDIUM
Network
|
openwebui
|
open_webui
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6,Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and i…
|
CWE-79
Cross-site Scripting
|
CVE-2026-54011
|
2026-06-25 22:33 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1638
|
8.8 |
HIGH
Network
|
-
|
-
|
The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to p…
|
-
|
CVE-2026-5305
|
2026-06-25 22:28 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1639
|
7.5 |
HIGH
Network
|
-
|
-
|
The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowi…
|
-
|
CVE-2026-9702
|
2026-06-25 22:28 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1640
|
5.5 |
MEDIUM
Local
|
-
|
-
|
Generic IO & Memory Access driver for PCs provided by TOSHIBA CORPORATION and Dynabook Inc. exposes its IOCTL with insufficient access control. A logged-in user with no administrative privilege may a…
|
CWE-782
Exposed IOCTL with Insufficient Access Control
|
CVE-2026-56129
|
2026-06-25 22:28 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
