Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.8 HIGH
CVE-2026-33898 — Local Incus UI web server vulnerable to nuthentication bypass

Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value wil…

incus | Remote | Authentication
Mar 27, 2026 Apr 01, 2026
Mar 27, 2026
Apr 01, 2026
7.5 HIGH
CVE-2026-33697 — CoCoS attested TLS is vulnerable to relay attacks via extracted ephemeral TLS keys

Cocos AI is a confidential computing system for AI. The current implementation of attested TLS (aTLS) in CoCoS is vulnerable to a relay attack affecting all versions from v0.4.0 through v0.8.2. This …

cocos_ai | Authentication
Mar 27, 2026 Apr 10, 2026
Mar 27, 2026
Apr 10, 2026
4.3 MEDIUM
CVE-2026-29071 — Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memori…

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via `/api/v1/r…

open_webui | Remote | Authorization
Mar 27, 2026 Apr 01, 2026
Mar 27, 2026
Apr 01, 2026
8.1 HIGH
CVE-2026-29070 — Open WebUI has unauthorized deletion of knowledge files

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge bas…

open_webui | Remote | Authorization
Mar 27, 2026 Apr 01, 2026
Mar 27, 2026
Apr 01, 2026
7.1 HIGH
CVE-2026-28788 — Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized …

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the `P…

open_webui | Remote | Authorization
Mar 27, 2026 Apr 01, 2026
Mar 27, 2026
Apr 01, 2026
4.3 MEDIUM
CVE-2026-28786 — Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint a…

open_webui | Remote | Information Disclosure
Mar 27, 2026 Mar 30, 2026
Mar 27, 2026
Mar 30, 2026
8.8 HIGH
CVE-2026-27893 — vLLM's hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security …

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when…

vllm | Remote | Supply Chain
Mar 27, 2026 Mar 30, 2026
Mar 27, 2026
Mar 30, 2026
Showing 20 of 5787 Results