Total CVEs

138,591

Critical Severity

3,578

High Severity

12,841

Last 7 Days

1,641
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 781 - 800 of 34,996 CVEs
CVE-2026-54014 MEDIUM - 4.3

Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54013 HIGH - 7.6

Open WebUI: Stored XSS to Account Takeover via Model Profile Images

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54012 HIGH - 7.1

Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54011 HIGH - 8.7

Open WebUI: Stored XSS in Mermaid Markdown Preview

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54010 HIGH - 8.3

Open WebUI: Forged chat-file link allows cross-user file read and deletion

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54009 MEDIUM - 6.5

Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54008 HIGH - 8.5

Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54007 HIGH

Open WebUI: Cross-origin postMessage confirmation bypass via action:submit

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54006 MEDIUM - 4.3

Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar

Vendor: pip
Product: open-webui
Published: Jun 17, 2026
Source: GitHub
CVE-2026-53931 MEDIUM

NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint

Vendor: npm
Product: nocodb
Published: Jun 17, 2026
Source: GitHub
CVE-2026-53930 MEDIUM

NocoDB: Server-Side Request Forgery via Base Migration URL

Vendor: npm
Product: nocodb
Published: Jun 17, 2026
Source: GitHub
CVE-2026-53929 MEDIUM

NocoDB: Stored Cross-Site Scripting via Secure Attachment

Vendor: npm
Product: nocodb
Published: Jun 17, 2026
Source: GitHub
CVE-2026-53928 MEDIUM

NocoDB: Refresh Tokens Persist Through Password Recovery

Vendor: npm
Product: nocodb
Published: Jun 17, 2026
Source: GitHub
CVE-2026-53927 MEDIUM

NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL

Vendor: npm
Product: nocodb
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54233 MEDIUM - 6.5

vLLM: OOM Denial of Service via Audio Decompression Bomb

Vendor: pip
Product: vllm
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54236 MEDIUM

vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router

Vendor: pip
Product: vllm
Published: Jun 17, 2026
Source: GitHub
CVE-2026-53923 MEDIUM

vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving

Vendor: pip
Product: vllm
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54235 MEDIUM

vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels

Vendor: pip
Product: vllm
Published: Jun 17, 2026
Source: GitHub
CVE-2026-54761 MEDIUM

Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services

Vendor: go
Product: github.com/traefik/traefik/v3
Published: Jun 17, 2026
Source: GitHub
CVE-2026-53765 MEDIUM - 6.1

Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory

Vendor: npm
Product: chrome-devtools-mcp
Published: Jun 17, 2026
Source: GitHub