|
161
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any cha…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-45385
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
162
|
4.3 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login statu…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-45009
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
163
|
7.2 |
HIGH
Network
|
arubanetworks
|
arubaos
sd-wan
|
An authenticated remote code execution vulnerability exists in the AOS-8 and AOS-10 web-based management interface. A vulnerability in the certificate download functionality could allow an authentica…
New
|
NVD-CWE-noinfo
CWE-296
Improper Following of a Certificate's Chain of Trust
|
CVE-2026-44852
|
2026-05-16 06:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
164
|
7.3 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting (XSS) vulnerability that allows any authenticated user…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-44721
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
165
|
4.8 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overl…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-44568
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
166
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the is_user_channel_member function checks whether a ChannelMember row exists but do…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-44561
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
167
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/{id}/members endpoint only checks membership for group and …
New
|
CWE-862
Missing Authorization
|
CVE-2026-44559
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
168
|
7.6 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI supports model composition via base_model_id: a user-defined model (e.g.,…
New
|
CWE-862
Missing Authorization
|
CVE-2026-44555
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
169
|
8.1 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to discon…
New
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-44553
|
2026-05-16 06:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
170
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks…
New
|
CWE-444
HTTP Request Smuggling
|
CVE-2026-42585
|
2026-05-16 06:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
