Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-44564 — Open WebUI: Read-Only Users Can Modify Collaborative Documents via Socket.IO

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the ydoc:document:update Socket.IO event handler checks whether the sender is a memb…

| Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
0.0 NA
CVE-2026-44568 — Open WebUI: Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overl…

| Cross-Site Scripting
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
0.0 NA
CVE-2026-45331 — Open WebUI: Full SSRF Vulnerability in the RAG Web Search Feature

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validate_url() in backend/open_webui/retrieval/web/utils.py calls validators.ipv6(ip…

| Server-Side Request Forgery
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
0.0 NA
CVE-2026-45339 — Open WebUI: API key endpoint restrictions bypassed via `x-api-key` header — full message …

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When…

| Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
0.0 NA
CVE-2026-45349 — Open WebUI: Broken Access Control for Completions API

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API …

| Authentication
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
0.0 NA
CVE-2026-45399 — Open WebUI: Low-privilege authenticated users can enumerate and stop global background ta…

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks acr…

| Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
8.7 HIGH
CVE-2026-8686 — DoS from MQTT v5.0 Deserialization Fault in core MQTT

Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet. To remediate this issue, users s…

Remote | Denial of Service
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
4.3 MEDIUM
CVE-2026-4054 — SVG content served through Mattermost image proxy despite Content-Type restrictions cause…

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG fi…

Remote | Denial of Service
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
3.1 LOW
CVE-2026-4053 — post edit time limit is not enforced on some post update operations

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, a…

Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
7.6 HIGH
CVE-2026-46408 — Vvveb: checkout IDOR allows unauthorized reuse of another user's cart

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter …

Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
8.1 HIGH
CVE-2026-46407 — Vvveb: admin/auth-token IDOR allows unauthorized disclosure of administrator REST API tok…

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator t…

Remote | Information Disclosure
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
7.6 HIGH
CVE-2026-46367 — phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craf…

Remote | Cross-Site Scripting
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
7.5 HIGH
CVE-2026-46366 — phpMyFAQ - Unauthenticated Information Disclosure via getIdFromSolutionId Permission Bypa…

phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted …

Remote | Information Disclosure
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
5.4 MEDIUM
CVE-2026-46365 — phpMyFAQ - Missing Authorization in Tag Deletion Endpoint

phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, incl…

Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
9.8 CRITICAL
CVE-2026-46364 — phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent h…

Remote | Injection
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
5.4 MEDIUM
CVE-2026-46363 — phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authent…

Remote | Cross-Site Scripting
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
6.5 MEDIUM
CVE-2026-46362 — phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check

phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Att…

Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
6.9 MEDIUM
CVE-2026-46361 — phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protect…

Remote | Cross-Site Scripting
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
5.4 MEDIUM
CVE-2026-46360 — phpMyFAQ - Stored XSS via Entity Decoding Depth Limit Bypass in SVG Sanitizer

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass san…

Remote | Cross-Site Scripting
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
7.5 HIGH
CVE-2026-46359 — phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Unescaped OAuth Token Fields

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attac…

Remote | Injection
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
Showing 20 of 6341 Results