Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-54017 |
|
Path Traversal in open-webui (CVE-2026-54017)
path traversal in open-webui (CVE-2026-54017). Confidential information can be exposed externally. Exploitable via `GET /api/v1/terminals/server1/..`. Mitigation: upgrade to `0.9.6` or later.
|
| CVE-2026-9675 |
|
Vulnerability in undici (CVE-2026-9675)
vulnerability in undici (CVE-2026-9675). Risk of unauthorized operations or information disclosure. Exploitable via ``maxPayloadSize``. Mitigation: upgrade to `8.5.0` or later.
|
| CVE-2026-12151 |
|
Vulnerability in undici (CVE-2026-12151)
vulnerability in undici (CVE-2026-12151). Risk of unauthorized operations or information disclosure. Exploitable via ``maxPayloadSize``. Mitigation: upgrade to `8.5.0` or later.
|
| CVE-2026-10641 |
|
Out-of-Bounds Write in c (CVE-2026-10641)
out-of-bounds write in c (CVE-2026-10641). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-54013 |
|
Cross-Site Scripting (XSS) in open-webui (CVE-2026-54013)
cross-site scripting in open-webui (CVE-2026-54013). Confidential information can be exposed externally. Exploitable via `GET /api/v1/models/model/profile/image`. Mitigation: upgrade to `0.9.6` or later.
|
| CVE-2026-54012 |
|
Vulnerability in open-webui (CVE-2026-54012)
vulnerability in open-webui (CVE-2026-54012). Confidential information can be exposed externally. Exploitable via `GET /api/v1/files/{id}/content`. Mitigation: upgrade to `0.9.6` or later.
|
| CVE-2026-54011 |
|
Cross-Site Scripting (XSS) in open-webui (CVE-2026-54011)
cross-site scripting in open-webui (CVE-2026-54011). Confidential information can be exposed externally. Exploitable via ``innerHTML``. Mitigation: upgrade to `0.9.6` or later.
|
| CVE-2026-54010 |
|
Vulnerability in open-webui (CVE-2026-54010)
vulnerability in open-webui (CVE-2026-54010). Confidential information can be exposed externally. Exploitable via `GET /api/v1/files/{id}/content`. Mitigation: upgrade to `>= 0.9.6` or later.
|
| CVE-2026-54008 |
|
SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-54008)
SSRF in open-webui (CVE-2026-54008). Confidential information can be exposed externally. Exploitable via `GET /api/v1/auths/`. Mitigation: upgrade to `0.9.0` or later.
|
| CVE-2026-53923 |
|
Information Disclosure in vllm (CVE-2026-53923)
vulnerability in vllm (CVE-2026-53923). Confidential information can be exposed externally. Exploitable via ``to_cuda_ggml_t``.
|
| CVE-2026-54761 |
|
Vulnerability in github.com/traefik/traefik/v3 (CVE-2026-54761)
vulnerability in github.com/traefik/traefik/v3 (CVE-2026-54761). Confidential information can be exposed externally. Exploitable via ``crossProviderNamespaces``. Mitigation: upgrade to `3.7.5` or later.
|
| CVE-2026-54328 |
|
Vulnerability in @earendil-works/pi-coding-agent (CVE-2026-54328)
vulnerability in @earendil-works/pi-coding-agent (CVE-2026-54328). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `>= 0.78.1` or later.
|
| CVE-2026-48788 |
|
Cross-Site Scripting (XSS) in github.com/umputun/remark42 (CVE-2026-48788)
cross-site scripting in github.com/umputun/remark42 (CVE-2026-48788). Confidential information can be exposed externally. Exploitable via ``http.DetectContentType``. Mitigation: upgrade to `1.16.0` or later.
|
| CVE-2026-12437 |
|
Use-After-Free in Google chrome (CVE-2026-12437)
vulnerability in Google chrome (CVE-2026-12437). Successful exploitation can lead to full system takeover.
|
| CVE-2026-26231 |
|
Authorization Flaw in code.gitea.io/gitea (CVE-2026-26231)
vulnerability in code.gitea.io/gitea (CVE-2026-26231). Data can be tampered with by attackers. Exploitable via ``Read``. Mitigation: upgrade to `1.26.2` or later.
|
| CVE-2026-28699 |
|
Vulnerability in code.gitea.io/gitea (CVE-2026-28699)
vulnerability in code.gitea.io/gitea (CVE-2026-28699). Confidential information can be exposed externally. Exploitable via `PATCH /api/v1/user/settings`. Mitigation: upgrade to `1.26.2` or later.
|
| CVE-2026-52797 |
|
Path Traversal in gogs.io/gogs (CVE-2026-52797)
path traversal in gogs.io/gogs (CVE-2026-52797). Risk of unauthorized operations or information disclosure. Exploitable via ``treePath``. Mitigation: upgrade to `0.14.0` or later.
|
| CVE-2026-28744 |
|
Authorization Flaw in code.gitea.io/gitea (CVE-2026-28744)
vulnerability in code.gitea.io/gitea (CVE-2026-28744). Confidential information can be exposed externally. Exploitable via ``ctx.IsBasicAuth``. Mitigation: upgrade to `1.26.2` or later.
|
| CVE-2026-54304 |
|
Information Disclosure in n8n (CVE-2026-54304)
vulnerability in n8n (CVE-2026-54304). Confidential information can be exposed externally. Exploitable via ``NODES_EXCLUDE``. Mitigation: upgrade to `2.25.7` or later.
|
| CVE-2026-54314 |
|
Vulnerability in n8n (CVE-2026-54314)
vulnerability in n8n (CVE-2026-54314). Risk of unauthorized operations or information disclosure. Exploitable via ``N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES``. Mitigation: upgrade to `2.24.0` or later.
|
| CVE-2026-54312 |
|
Vulnerability in n8n (CVE-2026-54312)
vulnerability in n8n (CVE-2026-54312). Risk of unauthorized operations or information disclosure. Exploitable via ``Object.prototype``. Mitigation: upgrade to `2.24.0` or later.
|
| CVE-2026-22312 |
|
Vulnerability in CVE-2026-22312 (CVE-2026-22312)
vulnerability in CVE-2026-22312 (CVE-2026-22312). Data can be tampered with by attackers.
|
| CVE-2026-10303 |
|
Vulnerability in path-traversal (CVE-2026-10303)
vulnerability in path-traversal (CVE-2026-10303). Confidential information can be exposed externally.
|
| CVE-2026-0164 |
|
Vulnerability in google (CVE-2026-0164)
vulnerability in google (CVE-2026-0164). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0162 |
|
Vulnerability in cpp (CVE-2026-0162)
vulnerability in cpp (CVE-2026-0162). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0161 |
|
Vulnerability in cpp (CVE-2026-0161)
vulnerability in cpp (CVE-2026-0161). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0152 |
|
Buffer Overflow in c (CVE-2026-0152)
vulnerability in c (CVE-2026-0152). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0153 |
|
Out-of-Bounds Write in google (CVE-2026-0153)
out-of-bounds write in google (CVE-2026-0153). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0156 |
|
Vulnerability in cpp (CVE-2026-0156)
vulnerability in cpp (CVE-2026-0156). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-0151 |
|
Vulnerability in c (CVE-2026-0151)
vulnerability in c (CVE-2026-0151). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0149 |
|
Vulnerability in google (CVE-2026-0149)
vulnerability in google (CVE-2026-0149). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0154 |
|
Vulnerability in google (CVE-2026-0154)
vulnerability in google (CVE-2026-0154). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0146 |
|
Vulnerability in c (CVE-2026-0146)
vulnerability in c (CVE-2026-0146). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0148 |
|
Vulnerability in cpp (CVE-2026-0148)
vulnerability in cpp (CVE-2026-0148). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0150 |
|
Vulnerability in google (CVE-2026-0150)
vulnerability in google (CVE-2026-0150). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0147 |
|
Vulnerability in c (CVE-2026-0147)
vulnerability in c (CVE-2026-0147). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0160 |
|
Vulnerability in cpp (CVE-2026-0160)
vulnerability in cpp (CVE-2026-0160). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0143 |
|
Use-After-Free in c (CVE-2026-0143)
vulnerability in c (CVE-2026-0143). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0139 |
|
Buffer Overflow in google (CVE-2026-0139)
vulnerability in google (CVE-2026-0139). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0132 |
|
Vulnerability in google (CVE-2026-0132)
vulnerability in google (CVE-2026-0132). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0135 |
|
Out-of-Bounds Read in google (CVE-2026-0135)
vulnerability in google (CVE-2026-0135). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0137 |
|
Use-After-Free in c (CVE-2026-0137)
vulnerability in c (CVE-2026-0137). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0133 |
|
Vulnerability in c (CVE-2026-0133)
vulnerability in c (CVE-2026-0133). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0138 |
|
Vulnerability in c (CVE-2026-0138)
vulnerability in c (CVE-2026-0138). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0125 |
|
Use-After-Free in c (CVE-2026-0125)
vulnerability in c (CVE-2026-0125). Successful exploitation can lead to full system takeover.
|
| CVE-2026-0131 |
|
Out-of-Bounds Read in google (CVE-2026-0131)
vulnerability in google (CVE-2026-0131). Successful exploitation can lead to full system takeover.
|
| CVE-2026-54322 |
|
Vulnerability in github.com/daytonaio/daytona (CVE-2026-54322)
vulnerability in github.com/daytonaio/daytona (CVE-2026-54322). Data can be tampered with by attackers. Mitigation: upgrade to `0.185.0` or later.
|
| CVE-2026-52845 |
|
Authentication Bypass in github.com/caddyserver/caddy/v2 (CVE-2026-52845)
authentication bypass in github.com/caddyserver/caddy/v2 (CVE-2026-52845). Confidential information can be exposed externally. Exploitable via `GET /index.php`. Mitigation: upgrade to `2.11.4` or later.
|
| CVE-2026-52844 |
|
Path Traversal in github.com/caddyserver/caddy/v2 (CVE-2026-52844)
path traversal in github.com/caddyserver/caddy/v2 (CVE-2026-52844). Confidential information can be exposed externally. Exploitable via `GET /private/secret.txt`. Mitigation: upgrade to `2.11.4` or later.
|
| CVE-2026-50574 |
|
Vulnerability in yt-dlp (CVE-2026-50574)
vulnerability in yt-dlp (CVE-2026-50574). Successful exploitation can lead to full system takeover. Exploitable via ``title``. Mitigation: upgrade to `2026.6.9` or later.
|