Total CVEs

142,518

Critical Severity

3,992

High Severity

14,327

Last 7 Days

1,883
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 14,641 - 14,660 of 38,923 CVEs
CVE-2026-42190 MEDIUM - 5.3

RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the vic...

Vendor: redwoodjs
Product: sdk
Published: May 08, 2026
Source: NVD
CVE-2026-42189 HIGH - 7.5

Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g.,...

Vendor: Eugeny
Product: russh
Published: May 08, 2026
Source: NVD
CVE-2026-42185 MEDIUM - 5.5

People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the ...

Vendor: suitenumerique
Product: people
Published: May 08, 2026
Source: NVD
CVE-2026-42181 MEDIUM - 6.5

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ran...

Vendor: LemmyNet
Product: lemmy
Published: May 08, 2026
Source: NVD
CVE-2026-42180 MEDIUM - 6.3

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled ...

Vendor: LemmyNet
Product: lemmy
Published: May 08, 2026
Source: NVD
CVE-2026-42176 MEDIUM - 6.7

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email addres...

Vendor: Erudika
Product: scoold
Published: May 08, 2026
Source: NVD

Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user acc...

Vendor: sovity
Product: dataspace-portal
Published: May 08, 2026
Source: NVD
CVE-2026-44560 MEDIUM - 6.5

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the type: "file" (non-full-context), type: "text" with collection_name, and bare collection_name/collection_names paths in the get_sources_from_items function perfor...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub
CVE-2026-44561 MEDIUM - 5.4

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the is_user_channel_member function checks whether a ChannelMember row exists but does not check the is_active field. When a user is deactivated from a group or DM channel (removed by t...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub
CVE-2026-44564 MEDIUM - 5.4

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the ydoc:document:update Socket.IO event handler checks whether the sender is a member of the document's Socket.IO room (line 678) but does not verify that the sender has write per...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub
CVE-2026-44563 MEDIUM - 5.4

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /api/generate, /api/embed, /api/embeddings, and /api/show endpoints accept any model name from the user and forward the request to the Ollama backend without checking whether the us...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub
CVE-2026-44562 MEDIUM - 6.5

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/models/import endpoint allows users with the workspace.models_import permission to overwrite any existing model in the database, regardless of ownership. When an import...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub
CVE-2026-44559 MEDIUM - 4.3

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the GET /api/v1/channels/{id}/members endpoint only checks membership for group and dm channel types (lines 467-469). For standard channels โ€” including private ones โ€” there is no channe...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub
CVE-2026-44557 MEDIUM - 4.3

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-* patterns. All other collectio...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub
CVE-2026-44554 HIGH - 8.1

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collection_name and an overwrite query parameter (default: True). It performs no authorization check on whether t...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub
CVE-2026-44558 MEDIUM - 5.4

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filter_allowed_access_grants on either create or update paths. A non-admin user who can create group channels (or who owns a channel) can submit arbitra...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub
CVE-2026-44556 HIGH - 7.1

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control. While th...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub
CVE-2026-44555 HIGH - 7.6

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI supports model composition via base_model_id: a user-defined model (e.g., "Cheap Assistant") can reference an existing base model (e.g., "gpt-4-turbo-restricte...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub
CVE-2026-44552 HIGH - 8.7

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the tool_servers and terminal_servers keys in utils/tools.py do use a prefix. When two or more Open WebUI instances share a Redis database (a supported and documented deployment pattern...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub
CVE-2026-44553 HIGH - 8.1

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin privilege...

Vendor: pip
Product: open-webui
Published: May 08, 2026
Source: GitHub