搜尋

1,769 筆結果

嚴重程度:CRITICAL HIGH MEDIUM LOW|生態系:npm PyPI Maven Debian Alpine|⚠ 只看 KEV

HIGH7.5CVE-2026-45553EPSS 0.03%NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()2026/5/18
HIGH7.4CVE-2026-45539EPSS 0.07%Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree2026/5/18
HIGH7.5CVE-2026-44716Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator2026/5/15
HIGH8.6CVE-2026-2652EPSS 0.15%MLflow: unauthenticated access to certain FastAPI routes2026/5/15
HIGH7.7CVE-2026-45370EPSS 0.03%python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection2026/5/14
HIGH8.1CVE-2026-45675EPSS 0.11%Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts2026/5/14
HIGH8.8CVE-2026-45672EPSS 0.08%Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed2026/5/14
HIGH8.0CVE-2026-45671EPSS 0.04%Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion2026/5/14
HIGH8.1CVE-2026-45402EPSS 0.01%Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints2026/5/14
HIGH8.5CVE-2026-45401EPSS 0.04%Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-2025-65958)2026/5/14
HIGH8.5CVE-2026-45400EPSS 0.03%Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url`2026/5/14
HIGH7.1CVE-2026-45399EPSS 0.04%Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption2026/5/14
HIGH7.5CVE-2026-45398EPSS 0.04%Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls2026/5/14
HIGH7.1CVE-2026-45350EPSS 0.06%Open WebUI's chat completion API allows tool restrictions to be bypassed2026/5/14
HIGH7.1CVE-2026-45349EPSS 0.04%Open WebUI has Broken Access Control for Completions API2026/5/14
HIGH8.7CVE-2026-45348EPSS 0.03%pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal2026/5/14
HIGH7.7CVE-2026-45338EPSS 0.01%Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)2026/5/14
HIGH8.5CVE-2026-45331EPSS 0.01%Open WebUI has a full SSRF Vulnerability in the RAG Web Search Feature2026/5/14
HIGH8.7CVE-2026-45315EPSS 0.01%Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions2026/5/14
HIGH7.7CVE-2026-45303EPSS 0.04%Open WebUI has stored XSS via the HTML renedering view2026/5/14
HIGH8.1CVE-2026-45301EPSS 0.03%Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file2026/5/14
HIGH8.1CVE-2026-43978wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager2026/5/14
HIGH7.5CVE-2026-43977wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API2026/5/14
HIGH7.1CVE-2026-44798EPSS 0.06%Nautobot: GitRepository.current_head field should not be writable through REST API2026/5/13
HIGH8.5CVE-2026-44797EPSS 0.04%Nautobot: Webhook definitions could be used for server-side request forgery (SSRF)2026/5/13