Skip to main content
CVE-2026-45401 HIGH PATCH GHSA This Week

Open WebUI versions ≤0.9.4 allow authenticated users to bypass SSRF protections and read internal network resources via HTTP redirect-following. The vulnerability exists in five distinct code paths: web-fetch retrieval, image-loading endpoints, chat-completion image inlining, and OAuth/tool-server execution flows. Any authenticated user can submit a public URL that 302-redirects to internal addresses (127.0.0.1, 169.254.169.254 cloud metadata, RFC1918 private networks) and receive the response body. The vendor confirms active exploitation in the wild was NOT observed, but publicly available exploit code exists (PoC in advisory) and EPSS score of 0.00043 (4.3%) suggests low automated scanning targeting at time of analysis. Fixed in version 0.9.5 released March 2025.

Kubernetes SSRF
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-45400 HIGH PATCH GHSA This Week

URL parser mismatch in Open WebUI allows authenticated users to bypass SSRF protections and access internal network resources. The validate_url function uses Python's urlparse library to extract hostnames for validation, while the requests library handles actual HTTP requests. These libraries disagree on parsing URLs containing backslash characters (e.g., http://127.0.0.1:6666\@1.1.1.1), allowing attackers to craft URLs that pass validation as external addresses but resolve to internal hosts. Exploitation requires low-privilege authentication but no user interaction, enabling access to cloud metadata endpoints and internal services. Fixed in version 0.9.5 per GitHub advisory GHSA-8w7q-q5jp-jvgx.

Google SSRF Microsoft Python
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-45331 HIGH PATCH GHSA This Week

Server-Side Request Forgery in Open WebUI's `validate_url()` function allows authenticated attackers to reach internal IPv4/IPv6 addresses, bypassing security controls via three distinct flaws: the validators library silently fails on IPv6 private-address checks (raising ValidationError which evaluates as falsy), IPv4-mapped IPv6 addresses (::ffff:10.0.0.1) evade IPv4 filtering entirely, and multiple IANA-reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24, 198.18.0.0/15, 203.0.113.0/24) remain unblocked. The vulnerability persists in the RAG web search, image editing, and other endpoints despite an earlier incomplete remediation attempt (CVE-2025-65958), enabling exfiltration of AWS IMDSv1 credentials and access to localhost-bound services. Publicly available exploit code exists (demonstrated POC in advisory), affecting Open WebUI ≤0.8.12 with fix released in version 0.9.0.

Python SSRF
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-44850 HIGH PATCH GHSA This Week

Authenticated regular users with container-creation rights in Portainer can mount arbitrary host filesystem paths into their containers by bypassing the 'Disable bind mounts for non-administrators' security control via HostConfig.Mounts instead of HostConfig.Binds, enabling root-level access to sensitive host files, Docker socket takeover, and container escape on shared Docker environments. The vulnerability is confirmed actively exploited based on seven independent security researcher reports, with vendor-released patches available across all supported branches (2.33.8, 2.39.2, 2.41.0). CVSS 8.5 reflects network exploitation with low complexity and changed scope impact, though real-world risk depends heavily on whether multi-tenant environments rely on this control as their primary container isolation mechanism.

Authentication Bypass Docker
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-43906 HIGH PATCH This Week

Heap-based buffer overflow in OpenImageIO's HEIF decoder enables arbitrary code execution via crafted image files. Affects OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0. Exploitation requires local access and user interaction (opening a malicious image file), but no authentication. Attack complexity is low once the malicious file is delivered. Vendor-released patches available in versions 3.0.18.0 and 3.1.13.0. No confirmed active exploitation (not listed in CISA KEV) and no public POC identified at time of analysis, though the technical details suggest straightforward exploitation once the attacker can deliver a crafted HEIF image to a target user.

Heap Overflow RCE Buffer Overflow Suse
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-43903 HIGH PATCH This Week

Heap buffer overflow in OpenImageIO's SGI image decoder allows arbitrary code execution via specially crafted .sgi files. Affects versions before 3.0.18.0 and 3.1.13.0 when processing malicious SGI images with invalid RLE compression parameters. Publicly available exploit code exists (SSVC POC status confirmed). Attack requires local file access and user interaction to open the malicious file, but CVSS 8.4 reflects high impact potential (code execution) in VFX/animation production environments where SGI format handling is common. EPSS data unavailable, not listed in CISA KEV.

Memory Corruption Buffer Overflow Suse
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-43904 HIGH PATCH This Week

Heap buffer overflow in OpenImageIO versions before 3.0.18.0 and 3.1.13.0 allows local attackers to corrupt up to 65,535 bytes of memory via malicious Softimage .pic files. The vulnerability arises when processing RLE-compressed images where run-length validation is missing in two code paths (softimageinput.cpp lines 469 and 345), though the raw packet path correctly implements bounds checking. EPSS data not available. Not listed in CISA KEV. Patches released by Academy Software Foundation in versions 3.0.18.0 and 3.1.13.0.

Memory Corruption Buffer Overflow Suse
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-42881 HIGH PATCH This Week

Path traversal in STIGQter 0.1.2 through 1.2.6 allows local code execution when users open malicious .stigqter files and explicitly run the 'Export HTML' action. The CWE-22 path traversal flaw enables attackers to write arbitrary files with the victim's privileges, achieving code execution. User interaction is mandatory - victims must both open a crafted file and trigger the specific export function. No public exploit code or active exploitation has been identified at time of analysis, though the attack path is straightforward for targeted social engineering. Fixed in version 1.2.7 per vendor advisory.

RCE Path Traversal
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-8571 HIGH PATCH This Week

Insufficient policy enforcement in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8575 HIGH PATCH This Week

Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8574 HIGH PATCH This Week

Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Denial Of Service Microsoft Use After Free Memory Corruption Google +3
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8573 HIGH PATCH This Week

Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

Microsoft Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8569 HIGH PATCH This Week

Out of bounds write in Codecs in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

Google Memory Corruption Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8548 HIGH PATCH This Week

Out of bounds write in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Memory Corruption Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8542 HIGH PATCH This Week

Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Denial Of Service Microsoft Use After Free Memory Corruption Google +3
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8534 HIGH PATCH This Week

Integer overflow in GPU in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8533 HIGH PATCH This Week

Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8530 HIGH PATCH This Week

Use after free in Network in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Denial Of Service Microsoft Use After Free Memory Corruption Google +3
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8523 HIGH PATCH This Week

Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8515 HIGH PATCH This Week

Use after free in HID in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8514 HIGH PATCH This Week

Use after free in Aura in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8513 HIGH PATCH This Week

Use after free in Input in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8512 HIGH PATCH This Week

Use after free in FileSystem in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Google Denial Of Service Use After Free Memory Corruption Red Hat +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8525 HIGH PATCH This Week

Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Heap Overflow Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8520 HIGH PATCH This Week

Race in Payments in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Race Condition Google Information Disclosure Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-45732 HIGH PATCH GHSA This Week

Cross-user authorization bypass in n8n's OAuth1/OAuth2 credential reconnect endpoints allows authenticated users with read-only access to shared credentials to overwrite stored OAuth tokens with attacker-controlled ones. Affects n8n versions prior to 1.123.43, 2.20.7, and 2.21.1 where credentials are shared between users or projects. No public exploit identified at time of analysis, and EPSS score is low (0.04%), but the flaw enables persistent hijacking of shared integrations and downstream workflow execution under the attacker's identity.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-43907 HIGH PATCH This Week

Heap buffer overflow in OpenImageIO 3.0.x (before 3.0.18.0) and 3.1.x (before 3.1.13.0) allows remote attackers to achieve denial of service or potentially arbitrary code execution via crafted DPX image files. The vulnerability stems from signed integer overflow in buffer size calculations within the DPX color converter, causing undersized heap allocations. Attack requires victim to open a malicious DPX file (user interaction required per CVSS UI:R). No public exploit code or active exploitation confirmed at time of analysis, though the technical details in the GitHub advisory provide sufficient detail for proof-of-concept development.

Integer Overflow Denial Of Service RCE Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-44586 HIGH PATCH This Week

Stored cross-site scripting in SiYuan's Bazaar marketplace (versions 2.1.12 through 3.6.x) enables arbitrary code execution on the host system. The vulnerability stems from unescaped package author metadata rendering, which when exploited through a malicious marketplace package, allows attackers to leverage SiYuan's insecure Electron configuration (nodeIntegration enabled, contextIsolation disabled) to execute Node.js APIs and OS-level commands. No public exploit or active exploitation confirmed at time of analysis. CVSS 8.3 with high attack complexity and required user interaction suggests real-world exploitation depends on convincing users to view crafted marketplace entries.

XSS Microsoft Node.js
NVD GitHub
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8468 HIGH PATCH GHSA This Week

Memory exhaustion in Elixir Plug 1.4.0 through 1.19.1 allows remote unauthenticated attackers to crash BEAM VM processes via unbounded buffer accumulation during multipart/form-data header parsing. The vulnerability mirrors CVE-2026-8466 in Cowboy: read_part_headers/2 recursively accumulates incoming bytes without size limits when parsing malformed multipart requests that never deliver complete header sections. Vendor-released patches available for all affected branches. No public exploit identified at time of analysis, but exploitation requires only basic HTTP client tools.

Denial Of Service Plug
NVD GitHub
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-41249 HIGH GHSA This Week

Remote code execution in CoreShop's GitHub Actions CI/CD pipeline allows unauthenticated attackers to compromise the build infrastructure and exfiltrate repository secrets by submitting a malicious pull request. The vulnerability stems from the dangerous combination of pull_request_target trigger with unverified code checkout, enabling attackers to execute arbitrary commands (bin/console) on GitHub-hosted runners with access to sensitive credentials including PIMCORE_SECRET and PIMCORE_PRODUCT_KEY. This 'Pwn Request' attack pattern (CWE-94: Code Injection) affects version 5.0.0 with no vendor patch currently released. The attack requires zero authentication (PR:N) and low complexity (AC:L), representing a critical supply chain security risk for organizations using CoreShop.

PHP Code Injection RCE
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-24899 HIGH PATCH GHSA This Week

JWT authentication bypass in Fleet's Windows MDM enrollment allows attackers with access to any Azure AD tenant to enroll unauthorized devices and access management APIs. Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but fails to verify 'aud' (audience) or 'iss' (issuer) claims, accepting any Microsoft-signed token with the expected scopes. This enables unauthorized device enrollment and potential exposure of enrollment secrets embedded in MDM payloads. Vendor-released patch available in Fleet v4.82.0 (March 2026). No evidence of active exploitation (not in CISA KEV) at time of analysis, though the vulnerability was responsibly disclosed by security researcher @zaddy6.

Authentication Bypass Microsoft
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-46509 HIGH PATCH GHSA This Week

Prototype pollution in @ranfdev/deepobj npm package (versions ≤1.0.2) allows remote unauthenticated attackers to modify JavaScript object prototypes when property paths containing '__proto__', 'constructor', or 'prototype' are processed. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation against network-accessible applications, though real-world impact depends critically on whether user-controlled input is passed to property path parameters. EPSS data unavailable; not listed in CISA KEV. Publicly available exploit code exists (GitHub advisory GHSA-x7q7-fchv-8h2j). Vendor-released patch available in version 1.0.3.

Information Disclosure Prototype Pollution
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-5395 HIGH This Week

Insecure Direct Object Reference in the WordPress Fluent Forms plugin (versions through 6.2.0) allows authenticated users with Fluent Forms manager-level privileges to bypass form-level access controls via the exportEntries function. Attackers can exfiltrate submissions from forms they should not access, export data from arbitrary database tables, and enumerate table names through error message disclosure. No public exploit identified at time of analysis, and EPSS probability is very low (0.03%) despite the high CVSS score.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-5396 HIGH This Week

Authorization bypass in the Fluent Forms WordPress plugin (versions ≤6.1.21) allows authenticated Fluent Forms Managers to read, modify, annotate, and delete submissions belonging to forms outside their assigned scope by tampering with a user-controlled form_id query parameter. The flaw stems from the SubmissionPolicy class trusting client-supplied input for authorization decisions, granting cross-form access despite role restrictions. No public exploit identified at time of analysis, and EPSS exploitation probability remains low at 0.03%.

Authentication Bypass WordPress
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-23998 HIGH PATCH GHSA This Week

Client certificate validation bypass in Fleet's Windows MDM management endpoint allows remote attackers to impersonate enrolled devices and exfiltrate sensitive configuration data. With high attack complexity (CVSS:4.0 AV:N/AC:H), attackers possessing a valid device identifier can retrieve MDM payloads containing Wi-Fi credentials, VPN configurations, certificates, and other secrets. Vendor-released patch (Fleet v4.81.0) available. No public exploit or CISA KEV listing identified at time of analysis, though CVSS 8.2 severity reflects potential for credential theft and lateral movement.

Microsoft Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-45013 HIGH GHSA This Week

Account takeover in ApostropheCMS password reset flow allows remote attackers to steal password reset tokens via Host header injection. When apos.baseUrl is not configured (common in development and some production deployments), the password reset mechanism trusts the attacker-controlled HTTP Host header to construct reset URLs, causing victims to receive legitimate reset emails with links pointing to attacker domains. Clicking the link delivers valid reset tokens to the attacker, enabling full account compromise. CVSS 8.1 (High) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given the detailed technical disclosure in the GitHub security advisory.

Code Injection
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-45675 HIGH PATCH GHSA This Week

Multiple concurrent LDAP or OAuth first-login requests on a freshly deployed Open WebUI instance can all receive administrator privileges through a TOCTOU race condition in role assignment logic. The vulnerability affects deployments using LDAP or OAuth authentication on instances with no existing users. While the regular signup handler was explicitly patched for this race condition in earlier code ('Insert with default role first to avoid TOCTOU race'), the LDAP and OAuth authentication paths were never updated with the same fix. Vendor-released patch available in version 0.9.0 (April 2026). No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists per GitHub advisory GHSA-h3ww-q6xx-w7x3. CVSS 8.1 (High) reflects network attack vector but requires high attack complexity (precise timing of concurrent requests during narrow first-deployment window).

Privilege Escalation Python
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-44973 HIGH PATCH GHSA This Week

Path traversal vulnerabilities in go-billy (Go filesystem abstraction library) allow authenticated attackers with network access to escape intended directory boundaries and access arbitrary filesystem locations. The vulnerability affects all versions prior to v5.9.0 and v6.0.0-alpha.1, with the osfs.ChrootOS implementation particularly impacted due to insufficient path sanitization of dot-dot-slash sequences. Applications using go-billy for filesystem isolation are at risk of unauthorized file access. Vendor has released patches in v5.9.0 and v6.0.0-alpha.1, with ChrootOS deprecated in v5 and removed in v6 in favor of the new BoundOS implementation backed by Go's traversal-resistant os.Root primitive. No public exploit identified at time of analysis, but CVSS 8.1 reflects high confidentiality and integrity impact.

Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-3892 HIGH This Week

Arbitrary file deletion in the Motors - Car Dealership & Classified Listings Plugin for WordPress (versions up to and including 1.4.107) allows authenticated users with subscriber-level access or higher to delete arbitrary files on the server by supplying a malicious filesystem path through the become-dealer logo upload flow. The flaw was reported by Wordfence and carries a CVSS of 8.1, but EPSS remains very low (0.05%) and CISA SSVC reports no observed exploitation, indicating risk is theoretical rather than active. No public exploit identified at time of analysis.

Information Disclosure WordPress Motors Car Dealership Classified Listings Plugin
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-44882 HIGH PATCH GHSA This Week

Authorization bypass in Portainer 2.33.0 through 2.33.7 allows authenticated users to access Kubernetes cluster resources beyond their assigned permissions due to missing return statement in middleware error handling. Any user with a valid Portainer session can exploit this to read or modify Kubernetes secrets, pods, deployments, and other resources on endpoints they should not access. The flaw affects both Community Edition and Enterprise Edition. Fixed in version 2.33.8 and inherently absent from 2.39.0+. No public exploit code identified at time of analysis, though the single-line code fix and detailed GitHub advisory make reproduction straightforward for authenticated attackers.

Authentication Bypass Kubernetes
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-45665 HIGH PATCH GHSA This Week

Stored XSS in Open WebUI Banner component enables privilege escalation from compromised admin to Super Admin. A malicious administrator can inject markdown-based JavaScript payloads (e.g., `[text](javascript:...)`) that bypass DOMPurify sanitization due to incorrect sanitizer-parser execution order in Banner.svelte:103. When the Super Admin views the global banner and clicks the crafted link, their session token is exfiltrated to the attacker. Vendor-released patch available in v0.8.0 (2026-02-12) reversing sanitization order to `DOMPurify.sanitize(marked.parse(...))`. CVSS 8.1 (High) with Network vector, Low complexity, but requires High privileges (admin) and User interaction (click). No KEV listing or EPSS data available; publicly disclosed POC with detailed reproduction steps.

XSS Privilege Escalation
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-45402 HIGH PATCH GHSA This Week

Authenticated attackers can exfiltrate and overwrite any user's private files in Open WebUI ≤0.9.4 by injecting victim file UUIDs into attacker-controlled folders or knowledge bases. Two distinct attack paths bypass authorization checks: folder-knowledge ingestion (Path 1) leaks file content via RAG responses, while knowledge-base attachment (Path 2) grants persistent read/write access through standard file endpoints. File UUIDs leak through normal usage (chat citations, shared chats, URLs, browser history). Vendor-released patch version 0.9.5 available. No public exploit identified at time of analysis, but proof-of-concept code published in GitHub advisory GHSA-r472-mw7m-967f demonstrates both attack vectors with working curl commands.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-45301 HIGH PATCH GHSA This Week

Horizontal privilege escalation in Open WebUI versions through 0.3.15 allows any authenticated user to enumerate, read, and delete all files uploaded by all other users via missing authorization checks in the files API endpoints. The vulnerability requires only low-privilege authenticated access to the web interface and has publicly available exploit code with a detailed proof-of-concept demonstrating how attackers can list all uploaded files regardless of owner, retrieve file contents, and delete arbitrary user files. Organizations running multi-user Open WebUI deployments face immediate risk of data breach and integrity loss, as file upload features in conversational AI platforms commonly handle sensitive documents and internal communications.

Authentication Bypass Docker Information Disclosure Ubuntu
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-44633 HIGH PATCH This Week

Privilege escalation and cross-site scripting in Live Helper Chat 4.84v allows authenticated REST API users to manipulate chats outside their authorized departments and inject malicious JavaScript into operator sessions. Attackers with low-privilege lhchat/use access can modify arbitrary chat object fields including chat hash, status, and operation_admin properties, enabling unauthorized data access through visitor/widget paths and code execution in operator contexts. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.

Authentication Bypass Livehelperchat
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-43978 HIGH GHSA This Week

Privilege escalation in wger fitness manager allows gym trainers to impersonate gym managers via session-chain attack. An authenticated trainer exploits flawed session-flag logic in the trainer-login endpoint to bypass permission checks - first switching into a low-privilege user, then leveraging the inherited 'trainer.identity' session flag to hop into manager accounts. Publicly available proof-of-concept demonstrates complete takeover of gym administration with CVSS 8.1 (network-accessible, low complexity). No vendor patch confirmed at time of analysis; vulnerability actively disclosed by wger-project GitHub advisory GHSA-9qpr-vc49-hqg2. EPSS score not available, not in CISA KEV. Root cause is CWE-269 (improper privilege management) in core/views/user.py lines 169-178.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-4030 HIGH This Week

Arbitrary file read and deletion in Database Backup for WordPress (versions ≤2.5.2) allows unauthenticated attackers on WordPress Multisite installations to access sensitive files and potentially achieve site takeover. The vulnerability stems from improper authorization enforcement combined with user-controlled backup directory parameters, exploitable only in Multisite environments using the deprecated is_site_admin() function. CVSS 8.1 with high attack complexity (AC:H) reflects the Multisite-only prerequisite. No CISA KEV listing indicates limited observed exploitation despite the critical authorization bypass nature.

Authentication Bypass Information Disclosure WordPress
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-45671 HIGH PATCH GHSA This Week

Broken object-level authorization in Open WebUI versions ≤0.8.12 allows any authenticated user to permanently delete files owned by other users when those files are referenced in any shared chat. The has_access_to_file() authorization function unconditionally grants access through its shared-chat branch, failing to validate both the requesting user's identity and the operation type (read vs. write). File UUIDs, which would otherwise prevent enumeration attacks, are exposed via the knowledge base API endpoint GET /api/v1/knowledge/{id}/files to any user with read access. This affects all default Docker deployments where chat sharing is enabled. Vendor-released patch available in v0.9.0 (commit 2e52ad8ff). No active exploitation confirmed (not in CISA KEV). CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H scores 8.0, though real-world impact extends beyond confidentiality to permanent data destruction with no recovery mechanism.

Authentication Bypass Python Docker
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-46480 HIGH PATCH GHSA This Week

Cross-workspace evaluator takeover in FlowiseAI Flowise (npm package flowise) versions <= 3.1.1 allows an authenticated workspace member to overwrite an Evaluator entity's workspaceId via mass assignment, breaking tenant isolation. The Evaluator controller in packages/server/src/Interface.Evaluation.ts uses Object.assign(entity, body) without an allowlist, so a PUT request containing a chosen workspaceId reassigns ownership of the row to any other workspace whose UUID the attacker knows. No public exploit identified at time of analysis, but the issue is documented in detail in GHSA-wxrr-jp8m-qq7f and a vendor patch is available in release 3.1.2.

RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-46479 HIGH PATCH GHSA This Week

Cross-workspace data takeover in FlowiseAI Flowise versions 3.1.1 and earlier allows any authenticated workspace member to reassign Evaluation entities to arbitrary workspaces by exploiting a mass assignment flaw in the evaluations service. The vulnerability stems from unsanitized use of Object.assign() on user-controlled request bodies, enabling clients to overwrite protected fields including workspaceId and id. No public exploit identified at time of analysis, though the GHSA advisory and patch diff provide sufficient detail to reconstruct one trivially.

RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-46478 HIGH PATCH GHSA This Week

Cross-workspace data takeover in FlowiseAI Flowise versions 3.1.1 and earlier allows any authenticated workspace member to reassign DatasetRow records to arbitrary workspaces by injecting a workspaceId field into create or update request bodies. The DatasetRow service in packages/server/src/services/dataset/index.ts uses Object.assign without a field allowlist, accepting client-controlled ownership columns directly into the persisted entity. No public exploit identified at time of analysis, but the patched commit (49a2259) and source review make exploitation mechanically straightforward for anyone with edit permission.

RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy