Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.1 HIGH
CVE-2026-44556 — Open WebUI: responses passthrough endpoint lacks access control authorization

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forw…

open_webui | Remote | Authorization
May 15, 2026 May 19, 2026
May 15, 2026
May 19, 2026
7.6 HIGH
CVE-2026-44555 — Open WebUI: Base Model Routing Bypasses Access Control via Model Chaining

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI supports model composition via base_model_id: a user-defined model (e.g.,…

open_webui | Remote | Authorization
May 15, 2026 May 19, 2026
May 15, 2026
May 19, 2026
8.1 HIGH
CVE-2026-44554 — Open WebUI: Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Over…

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_n…

open_webui | Remote | Authorization
May 15, 2026 May 19, 2026
May 15, 2026
May 19, 2026
8.1 HIGH
CVE-2026-44553 — Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User N…

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to discon…

open_webui | Remote | Authentication
May 15, 2026 May 19, 2026
May 15, 2026
May 19, 2026
8.7 HIGH
CVE-2026-44552 — Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix En…

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When t…

open_webui | Remote | Misconfiguration
May 15, 2026 May 18, 2026
May 15, 2026
May 18, 2026
9.1 CRITICAL
CVE-2026-44551 — Open WebUI: LDAP Empty Password Authentication Bypass

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the submitted password is no…

open_webui | Remote | Authentication
May 15, 2026 May 18, 2026
May 15, 2026
May 18, 2026
5.0 MEDIUM
CVE-2026-44550 — Open WebUI: Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other U…

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, FolderForm uses model_config = ConfigDict(extra='allow'), which permits arbitrary fi…

open_webui | Remote | Misconfiguration
May 15, 2026 May 19, 2026
May 15, 2026
May 19, 2026
6.3 MEDIUM
CVE-2025-67031 — ORSEE Remote Code Execution Vulnerability

ORSEE (Online Recruitment System for Economic Experiments) 3.1.0 contains an authenticated Remote Code Execution vulnerability in the participant profile field processing subsystem. Certain field con…

Remote | Injection
May 15, 2026 May 18, 2026
May 15, 2026
May 18, 2026
9.1 CRITICAL
CVE-2026-8686 — DoS from MQTT v5.0 Deserialization Fault in core MQTT

Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet. To remediate this issue, users s…

coremqtt | Remote | Denial of Service
May 15, 2026 May 19, 2026
May 15, 2026
May 19, 2026
6.5 MEDIUM
CVE-2026-4054 — SVG content served through Mattermost image proxy despite Content-Type restrictions cause…

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG fi…

mattermost_server | Remote | Denial of Service
May 15, 2026 May 18, 2026
May 15, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-4053 — post edit time limit is not enforced on some post update operations

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, a…

mattermost_server | Remote | Authorization
May 15, 2026 May 18, 2026
May 15, 2026
May 18, 2026
7.6 HIGH
CVE-2026-46408 — Vvveb: checkout IDOR allows unauthorized reuse of another user's cart

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter …

vvveb | Remote | Authorization
May 15, 2026 May 18, 2026
May 15, 2026
May 18, 2026
8.1 HIGH
CVE-2026-46407 — Vvveb: admin/auth-token IDOR allows unauthorized disclosure of administrator REST API tok…

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator t…

vvveb | Remote | Information Disclosure
May 15, 2026 May 18, 2026
May 15, 2026
May 18, 2026
8.3 HIGH
CVE-2026-46367 — phpMyFAQ - Stored XSS via Utils::parseUrl() in Comment Rendering

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craf…

phpmyfaq | Remote | Cross-Site Scripting
May 15, 2026 May 28, 2026
May 15, 2026
May 28, 2026
8.7 HIGH
CVE-2026-46366 — phpMyFAQ - Unauthenticated Information Disclosure via getIdFromSolutionId Permission Bypa…

phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted …

phpmyfaq | Remote | Information Disclosure
May 15, 2026 May 28, 2026
May 15, 2026
May 28, 2026
5.4 MEDIUM
CVE-2026-46365 — phpMyFAQ - Missing Authorization in Tag Deletion Endpoint

phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags. Any logged-in user, incl…

phpmyfaq | Remote | Authorization
May 15, 2026 May 28, 2026
May 15, 2026
May 28, 2026
9.8 CRITICAL
CVE-2026-46364 — phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent h…

phpmyfaq | Remote | Injection
May 15, 2026 May 28, 2026
May 15, 2026
May 28, 2026
5.4 MEDIUM
CVE-2026-46363 — phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authent…

phpmyfaq | Remote | Cross-Site Scripting
May 15, 2026 May 28, 2026
May 15, 2026
May 28, 2026
7.1 HIGH
CVE-2026-46362 — phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check

phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Att…

phpmyfaq | Remote | Authorization
May 15, 2026 May 28, 2026
May 15, 2026
May 28, 2026
8.2 HIGH
CVE-2026-46361 — phpMyFAQ - Stored Cross-Site Scripting via raw Filter in search.twig

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protect…

phpmyfaq | Remote | Cross-Site Scripting
May 15, 2026 May 28, 2026
May 15, 2026
May 28, 2026
Showing 20 of 7126 Results