Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-54011 |
|
Cross-Site Scripting (XSS) in open-webui (CVE-2026-54011)
cross-site scripting in open-webui (CVE-2026-54011). Confidential information can be exposed externally. Exploitable via ``innerHTML``. Mitigation: upgrade to `0.9.6` or later.
|
| CVE-2026-54010 |
|
Vulnerability in open-webui (CVE-2026-54010)
vulnerability in open-webui (CVE-2026-54010). Confidential information can be exposed externally. Exploitable via `GET /api/v1/files/{id}/content`. Mitigation: upgrade to `>= 0.9.6` or later.
|
| CVE-2026-54009 |
|
Vulnerability in open-webui (CVE-2026-54009)
vulnerability in open-webui (CVE-2026-54009). Confidential information can be exposed externally. Exploitable via `POST /api/chat/completions`. Mitigation: upgrade to `0.9.6` or later.
|
| CVE-2026-54008 |
|
SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-54008)
SSRF in open-webui (CVE-2026-54008). Confidential information can be exposed externally. Exploitable via `GET /api/v1/auths/`. Mitigation: upgrade to `0.9.0` or later.
|
| CVE-2026-54007 |
|
Vulnerability in open-webui (CVE-2026-54007)
vulnerability in open-webui (CVE-2026-54007). Data can be tampered with by attackers. Exploitable via `POST /api/v1/chats/new`. Mitigation: upgrade to `0.9.6` or later.
|
| CVE-2026-54006 |
|
Vulnerability in open-webui (CVE-2026-54006)
vulnerability in open-webui (CVE-2026-54006). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/calendars/events/{event_id}/update`. Mitigation: upgrade to `0.9.6` or later.
|
| CVE-2026-53931 |
|
Vulnerability in nocodb (CVE-2026-53931)
vulnerability in nocodb (CVE-2026-53931). Risk of unauthorized operations or information disclosure. Exploitable via ``axiosRequestMake``.
|
| CVE-2026-53930 |
|
SSRF (Server-Side Request Forgery) in nocodb (CVE-2026-53930)
SSRF in nocodb (CVE-2026-53930). Risk of unauthorized operations or information disclosure. Exploitable via ``migrate``.
|
| CVE-2026-53929 |
|
Cross-Site Scripting (XSS) in nocodb (CVE-2026-53929)
cross-site scripting in nocodb (CVE-2026-53929). Risk of unauthorized operations or information disclosure. Exploitable via ``ResponseContentDisposition``.
|
| CVE-2026-53928 |
|
Vulnerability in nocodb (CVE-2026-53928)
vulnerability in nocodb (CVE-2026-53928). Risk of unauthorized operations or information disclosure. Exploitable via ``passwordChange``.
|
| CVE-2026-53927 |
|
SSRF (Server-Side Request Forgery) in nocodb (CVE-2026-53927)
SSRF in nocodb (CVE-2026-53927). Risk of unauthorized operations or information disclosure. Exploitable via ``axiosRequestMake``.
|
| CVE-2026-54233 |
|
Vulnerability in vllm (CVE-2026-54233)
vulnerability in vllm (CVE-2026-54233). Risk of unauthorized operations or information disclosure. Exploitable via ``SpeechToTextProcessor``.
|
| CVE-2026-54236 |
|
Vulnerability in vllm (CVE-2026-54236)
vulnerability in vllm (CVE-2026-54236). Risk of unauthorized operations or information disclosure. Exploitable via `POST /v1/messages`.
|
| CVE-2026-53923 |
|
Information Disclosure in vllm (CVE-2026-53923)
vulnerability in vllm (CVE-2026-53923). Confidential information can be exposed externally. Exploitable via ``to_cuda_ggml_t``.
|
| GHSA-8jr5-v98p-w75m |
|
Vulnerability in vllm (GHSA-8jr5-v98p-w75m)
vulnerability in vllm (GHSA-8jr5-v98p-w75m). Risk of unauthorized operations or information disclosure. Exploitable via ``ImageOps.exif_transpose``.
|
| CVE-2026-54235 |
|
Vulnerability in vllm (CVE-2026-54235)
vulnerability in vllm (CVE-2026-54235). Risk of unauthorized operations or information disclosure. Exploitable via ``False``.
|
| CVE-2026-54761 |
|
Vulnerability in github.com/traefik/traefik/v3 (CVE-2026-54761)
vulnerability in github.com/traefik/traefik/v3 (CVE-2026-54761). Confidential information can be exposed externally. Exploitable via ``crossProviderNamespaces``. Mitigation: upgrade to `3.7.5` or later.
|
| CVE-2026-53765 |
|
Vulnerability in chrome-devtools-mcp (CVE-2026-53765)
vulnerability in chrome-devtools-mcp (CVE-2026-53765). Data can be tampered with by attackers. Exploitable via ``O_NOFOLLOW``. Mitigation: upgrade to `1.1.0` or later.
|
| GHSA-664h-gpgq-h6xx |
|
Authorization Flaw in n8n (GHSA-664h-gpgq-h6xx)
vulnerability in n8n (GHSA-664h-gpgq-h6xx). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `2.25.7` or later.
|
| CVE-2026-54325 |
|
Vulnerability in @earendil-works/pi-coding-agent (CVE-2026-54325)
vulnerability in @earendil-works/pi-coding-agent (CVE-2026-54325). Risk of unauthorized operations or information disclosure. Exploitable via ``project_trust``. Mitigation: upgrade to `0.79.0` or later.
|
| CVE-2026-54328 |
|
Vulnerability in @earendil-works/pi-coding-agent (CVE-2026-54328)
vulnerability in @earendil-works/pi-coding-agent (CVE-2026-54328). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `>= 0.78.1` or later.
|
| CVE-2026-54327 |
|
Vulnerability in @mariozechner/pi-coding-agent (CVE-2026-54327)
vulnerability in @mariozechner/pi-coding-agent (CVE-2026-54327). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.78.1` or later.
|
| GHSA-crmm-hgp2-wgrp |
|
Vulnerability in laravel/framework (GHSA-crmm-hgp2-wgrp)
vulnerability in laravel/framework (GHSA-crmm-hgp2-wgrp). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `12.61.1` or later.
|
| GHSA-5vg9-5847-vvmq |
|
Vulnerability in laravel/framework (GHSA-5vg9-5847-vvmq)
vulnerability in laravel/framework (GHSA-5vg9-5847-vvmq). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `12.60.0` or later.
|
| CVE-2026-48797 |
|
Vulnerability in backpropagate (CVE-2026-48797)
vulnerability in backpropagate (CVE-2026-48797). Risk of unauthorized operations or information disclosure. Exploitable via ``BACKPROPAGATE_UI_AUTH``. Mitigation: upgrade to `1.2.0` or later.
|
| CVE-2026-48788 |
|
Cross-Site Scripting (XSS) in github.com/umputun/remark42 (CVE-2026-48788)
cross-site scripting in github.com/umputun/remark42 (CVE-2026-48788). Confidential information can be exposed externally. Exploitable via ``http.DetectContentType``. Mitigation: upgrade to `1.16.0` or later.
|
| CVE-2026-48783 |
|
Vulnerability in CVE-2026-48783 (CVE-2026-48783)
vulnerability in CVE-2026-48783 (CVE-2026-48783). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-48782 |
|
SSRF (Server-Side Request Forgery) in pydantic-ai-slim (CVE-2026-48782)
SSRF in pydantic-ai-slim (CVE-2026-48782). Confidential information can be exposed externally. Exploitable via ``FileUrl``. Mitigation: upgrade to `2.0.0b3` or later.
|
| CVE-2026-48781 |
|
Vulnerability in CVE-2026-48781 (CVE-2026-48781)
vulnerability in CVE-2026-48781 (CVE-2026-48781). Successful exploitation can lead to full system takeover.
|
| CVE-2026-48745 |
|
Vulnerability in CVE-2026-48745 (CVE-2026-48745)
vulnerability in CVE-2026-48745 (CVE-2026-48745). Confidential information can be exposed externally.
|
| CVE-2026-48055 |
|
Vulnerability in path-traversal (CVE-2026-48055)
vulnerability in path-traversal (CVE-2026-48055). Data can be tampered with by attackers.
|
| CVE-2026-47277 |
|
Path Traversal in CVE-2026-47277 (CVE-2026-47277)
path traversal in CVE-2026-47277 (CVE-2026-47277). Confidential information can be exposed externally.
|
| CVE-2026-48776 |
|
Path Traversal in langgraph-sdk (CVE-2026-48776)
path traversal in langgraph-sdk (CVE-2026-48776). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.3.15` or later.
|
| CVE-2026-12437 |
|
Use-After-Free in Google chrome (CVE-2026-12437)
vulnerability in Google chrome (CVE-2026-12437). Successful exploitation can lead to full system takeover.
|
| CVE-2026-54326 |
|
Cross-Site Scripting (XSS) in @mariozechner/pi-coding-agent (CVE-2026-54326)
cross-site scripting in @mariozechner/pi-coding-agent (CVE-2026-54326). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.78.1` or later.
|
| CVE-2026-20706 |
|
Vulnerability in code.gitea.io/gitea (CVE-2026-20706)
vulnerability in code.gitea.io/gitea (CVE-2026-20706). Confidential information can be exposed externally. Exploitable via `GET /{owner}/{private-repo}/archive/main.tar.gz`. Mitigation: upgrade to `1.26.2` or later.
|
| CVE-2026-27783 |
|
Vulnerability in code.gitea.io/gitea (CVE-2026-27783)
vulnerability in code.gitea.io/gitea (CVE-2026-27783). Risk of unauthorized operations or information disclosure. Exploitable via `GET /repos/{owner}/{repo}/issue_templates`. Mitigation: upgrade to `1.26.2` or later.
|
| CVE-2026-25714 |
|
Vulnerability in code.gitea.io/gitea (CVE-2026-25714)
vulnerability in code.gitea.io/gitea (CVE-2026-25714). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `1.26.2` or later.
|
| CVE-2026-26231 |
|
Authorization Flaw in code.gitea.io/gitea (CVE-2026-26231)
vulnerability in code.gitea.io/gitea (CVE-2026-26231). Data can be tampered with by attackers. Exploitable via ``Read``. Mitigation: upgrade to `1.26.2` or later.
|
| CVE-2026-28699 |
|
Vulnerability in code.gitea.io/gitea (CVE-2026-28699)
vulnerability in code.gitea.io/gitea (CVE-2026-28699). Confidential information can be exposed externally. Exploitable via `PATCH /api/v1/user/settings`. Mitigation: upgrade to `1.26.2` or later.
|
| CVE-2026-52797 |
|
Path Traversal in gogs.io/gogs (CVE-2026-52797)
path traversal in gogs.io/gogs (CVE-2026-52797). Risk of unauthorized operations or information disclosure. Exploitable via ``treePath``. Mitigation: upgrade to `0.14.0` or later.
|
| CVE-2026-49980 |
|
Vulnerability in github.com/rclone/rclone (CVE-2026-49980)
vulnerability in github.com/rclone/rclone (CVE-2026-49980). Successful exploitation can lead to full system takeover. Exploitable via ``GET``. Mitigation: upgrade to `1.74.3` or later.
|
| GHSA-m3q2-p4fw-w38m |
|
Cross-Site Scripting (XSS) in nuxt (GHSA-m3q2-p4fw-w38m)
cross-site scripting in nuxt (GHSA-m3q2-p4fw-w38m). Risk of unauthorized operations or information disclosure. Exploitable via ``innerHTML``. Mitigation: upgrade to `3.21.7` or later.
|
| CVE-2026-49468 |
|
Vulnerability in litellm (CVE-2026-49468)
vulnerability in litellm (CVE-2026-49468). Successful exploitation can lead to full system takeover. Exploitable via ``request.url.path``. Mitigation: upgrade to `1.84.0` or later.
|
| CVE-2026-28744 |
|
Authorization Flaw in code.gitea.io/gitea (CVE-2026-28744)
vulnerability in code.gitea.io/gitea (CVE-2026-28744). Confidential information can be exposed externally. Exploitable via ``ctx.IsBasicAuth``. Mitigation: upgrade to `1.26.2` or later.
|
| CVE-2026-54304 |
|
Information Disclosure in n8n (CVE-2026-54304)
vulnerability in n8n (CVE-2026-54304). Confidential information can be exposed externally. Exploitable via ``NODES_EXCLUDE``. Mitigation: upgrade to `2.25.7` or later.
|
| CVE-2026-54309 |
|
Vulnerability in n8n (CVE-2026-54309)
vulnerability in n8n (CVE-2026-54309). Confidential information can be exposed externally. Mitigation: upgrade to `2.25.7` or later.
|
| CVE-2026-54305 |
|
Information Disclosure in n8n (CVE-2026-54305)
vulnerability in n8n (CVE-2026-54305). Confidential information can be exposed externally. Exploitable via ``N8N_ENV_FEAT_DYNAMIC_CREDENTIALS``. Mitigation: upgrade to `2.25.7` or later.
|
| CVE-2026-54307 |
|
Authorization Flaw in n8n (CVE-2026-54307)
vulnerability in n8n (CVE-2026-54307). Confidential information can be exposed externally. Mitigation: upgrade to `2.25.7` or later.
|
| CVE-2026-54314 |
|
Vulnerability in n8n (CVE-2026-54314)
vulnerability in n8n (CVE-2026-54314). Risk of unauthorized operations or information disclosure. Exploitable via ``N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES``. Mitigation: upgrade to `2.24.0` or later.
|