Export limit exceeded: 351647 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 351647 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (351647 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-36438 | 1 Intelbras | 1 Vip-1230-d-g4 | 2026-05-19 | 5.3 Medium |
| An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd | ||||
| CVE-2026-8955 | 1 Mozilla | 1 Firefox | 2026-05-19 | 6.5 Medium |
| Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. | ||||
| CVE-2026-24711 | 1 Northern.tech | 1 Cfengine | 2026-05-19 | 5.3 Medium |
| Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control. | ||||
| CVE-2026-24712 | 1 Northern.tech | 1 Cfengine | 2026-05-19 | 7.3 High |
| Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection. | ||||
| CVE-2026-5804 | 1 Motorola | 1 Phones | 2026-05-19 | 8.4 High |
| An improper authentication vulnerability was discovered in the Motorola Factory Test component (com.motorola.motocit). The application contained a reference to a writable file descriptor in external storage which could be used by third party apps running on the device to open a TCP server, exposing sensitive permissions and data. This could allow a local attacker to bypass permission checks and access protected device settings. | ||||
| CVE-2026-45672 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 8.8 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.12, the /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set ENABLE_CODE_EXECUTION=false. The feature gate is not enforced on the API endpoint — the configuration says "disabled" but code still executes. This vulnerability is fixed in 0.8.12. | ||||
| CVE-2026-44549 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 7.3 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheet_to_html to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. This vulnerability is fixed in 0.8.0. | ||||
| CVE-2026-44565 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 8.1 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.10, when uploading an audio file, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with names containing dot-segments in the file path and traverse out of the intended uploads directory. Effectively, users can upload files anywhere on the filesystem the user running the web server has permission. This vulnerability is fixed in 0.6.10. | ||||
| CVE-2026-44569 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 7.1 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, there's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability exists in the message update and delete endpoints, which implement channel-level authorization but completely lack message ownership validation. While the frontend correctly implements ownership checks (showing edit/delete buttons only for message owners or admins), the backend APIs bypass these protections by only validating channel access permissions without verifying that the requesting user owns the target message. This creates a client-side security control bypass where attackers can directly call the APIs to modify other users' messages. This vulnerability is fixed in 0.6.19. | ||||
| CVE-2026-44567 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2026-05-19 | 7.3 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. This vulnerability is fixed in 0.1.124. | ||||
| CVE-2026-29207 | 1 Apache | 1 Ofbiz | 2026-05-19 | 6.5 Medium |
| Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with dataTemplateTypeId = "FTL" are no longer supported. Additionally, in the updated version, the "Ecommerce Customer" security group no longer includes content management grants. Users are advised to remove these permissions from any production site as well. | ||||
| CVE-2026-29220 | 1 Apache | 1 Ofbiz | 2026-05-19 | 6.5 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | ||||
| CVE-2026-31380 | 1 Apache | 1 Ofbiz | 2026-05-19 | 6.5 Medium |
| Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | ||||
| CVE-2026-31387 | 1 Apache | 1 Ofbiz | 2026-05-19 | 5.3 Medium |
| Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | ||||
| CVE-2026-31388 | 1 Apache | 1 Ofbiz | 2026-05-19 | 5.3 Medium |
| Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | ||||
| CVE-2026-31906 | 1 Apache | 1 Ofbiz | 2026-05-19 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | ||||
| CVE-2026-31909 | 1 Apache | 1 Ofbiz | 2026-05-19 | 7.5 High |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | ||||
| CVE-2026-31910 | 1 Apache | 1 Ofbiz | 2026-05-19 | 7.5 High |
| Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | ||||
| CVE-2026-31986 | 1 Apache | 1 Ofbiz | 2026-05-19 | 9.1 Critical |
| Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | ||||
| CVE-2026-35086 | 1 Apache | 1 Ofbiz | 2026-05-19 | 6.5 Medium |
| Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | ||||