Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.4 MEDIUM
CVE-2026-44558 — Open WebUI: Channel Access Grants Bypass filter_allowed_access_grants

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filter_allowed_access_grants on either create or up…

open_webui | Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
4.3 MEDIUM
CVE-2026-44557 — Open WebUI: Global Knowledge Base Enumeration via knowledge-bases Meta-Collection

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enfo…

open_webui | Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
7.1 HIGH
CVE-2026-44556 — Open WebUI: responses passthrough endpoint lacks access control authorization

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forw…

open_webui | Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
7.6 HIGH
CVE-2026-44555 — Open WebUI: Base Model Routing Bypasses Access Control via Model Chaining

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI supports model composition via base_model_id: a user-defined model (e.g.,…

open_webui | Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
8.1 HIGH
CVE-2026-44554 — Open WebUI: Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Over…

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_n…

open_webui | Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
8.1 HIGH
CVE-2026-44553 — Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User N…

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to discon…

open_webui | Remote | Authentication
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
8.7 HIGH
CVE-2026-44552 — Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix En…

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When t…

open_webui | Remote | Misconfiguration
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
9.1 CRITICAL
CVE-2026-44551 — Open WebUI: LDAP Empty Password Authentication Bypass

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the submitted password is no…

open_webui | Remote | Authentication
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
5.0 MEDIUM
CVE-2026-44550 — Open WebUI: Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other U…

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fi…

open_webui | Remote | Misconfiguration
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
0.0 NA
CVE-2025-67031 — ORSEE Remote Code Execution Vulnerability

ORSEE (Online Recruitment System for Economic Experiments) 3.1.0 contains an authenticated Remote Code Execution vulnerability in the participant profile field processing subsystem. Certain field con…

| Injection
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
8.7 HIGH
CVE-2026-8686 — DoS from MQTT v5.0 Deserialization Fault in core MQTT

Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet. To remediate this issue, users s…

Remote | Denial of Service
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
4.3 MEDIUM
CVE-2026-4054 — SVG content served through Mattermost image proxy despite Content-Type restrictions cause…

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG fi…

Remote | Denial of Service
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
3.1 LOW
CVE-2026-4053 — post edit time limit is not enforced on some post update operations

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, a…

Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
7.6 HIGH
CVE-2026-46408 — Vvveb: checkout IDOR allows unauthorized reuse of another user's cart

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter …

Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
8.1 HIGH
CVE-2026-46407 — Vvveb: admin/auth-token IDOR allows unauthorized disclosure of administrator REST API tok…

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator t…

Remote | Information Disclosure
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
7.6 HIGH
CVE-2026-46367 — phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craf…

Remote | Cross-Site Scripting
May 15, 2026 May 16, 2026
May 15, 2026
May 16, 2026
7.5 HIGH
CVE-2026-46366 — phpMyFAQ - Unauthenticated Information Disclosure via getIdFromSolutionId Permission Bypa…

phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted …

Remote | Information Disclosure
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
5.4 MEDIUM
CVE-2026-46365 — phpMyFAQ - Missing Authorization in Tag Deletion Endpoint

phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, incl…

Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
9.8 CRITICAL
CVE-2026-46364 — phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent h…

Remote | Injection
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
5.4 MEDIUM
CVE-2026-46363 — phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authent…

Remote | Cross-Site Scripting
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
Showing 20 of 6269 Results