Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21148
Total
1520
Critical
6441
High
6722
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-53754 | HIGH | 7.5 | Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.8, the Docker API server's SSRF protection (validate_webhook_url / validate_url_destination in deploy/docker/utils.py) used … | Jun 23, 2026 |
| CVE-2026-53753 | CRITICAL | 9.8 | Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the _safe_eval_expression() function in the computed fields feature uses an AST validator … | Jun 23, 2026 |
| CVE-2026-57062 | LOW | 2.9 | CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes … | Jun 23, 2026 |
| CVE-2026-57053 | MEDIUM | 4.0 | GNU libidn before 1.44 is prone to out-of-bounds reads of uninitialized memory in the ToUnicode APIs because of mishandling in idna_to_unicode_internal. The affected code is … | Jun 23, 2026 |
| CVE-2026-55517 | MEDIUM | 4.3 | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the … | Jun 23, 2026 |
| CVE-2026-54324 | MEDIUM | 6.5 | Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, a cross-tenant authorization flaw in Daytona's notification … | Jun 23, 2026 |
| CVE-2026-54323 | MEDIUM | 5.9 | Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, the daemon's git clone implementation disabled TLS … | Jun 23, 2026 |
| CVE-2026-54318 | HIGH | 7.1 | Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.5.3, the LocationSensorManager BroadcastReceiver is exported with no … | Jun 23, 2026 |
| CVE-2026-54317 | HIGH | 7.6 | Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, … | Jun 23, 2026 |
| CVE-2026-54316 | UNKNOWN | — | Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, … | Jun 23, 2026 |
| CVE-2026-54257 | UNKNOWN | — | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 42.3.1 until 42.3.3, Buffer performs incorrect byte length calculations resulting … | Jun 23, 2026 |
| CVE-2026-54157 | CRITICAL | 9.0 | LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com … | Jun 23, 2026 |
| CVE-2026-54022 | MEDIUM | 5.3 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the ydoc:document:join Socket.IO handler checks note ownership only when … | Jun 23, 2026 |
| CVE-2026-54021 | MEDIUM | 6.3 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied … | Jun 23, 2026 |
| CVE-2026-54019 | MEDIUM | 6.5 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI added collection-level ACL checks, but the patch … | Jun 23, 2026 |
| CVE-2026-54018 | HIGH | 7.7 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the SafePlaywrightURLLoader implements a validate_url function to prevent SSRF … | Jun 23, 2026 |
| CVE-2026-54016 | MEDIUM | 4.3 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI has a Broken Object Level Authorization (BOLA) … | Jun 23, 2026 |
| CVE-2026-54015 | MEDIUM | 6.4 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the prompt_id in … | Jun 23, 2026 |
| CVE-2026-54014 | MEDIUM | 4.3 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, a path traversal vulnerability exists in open-webui's cache file … | Jun 23, 2026 |
| CVE-2026-54013 | HIGH | 7.6 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI patched SVG XSS in user profile images … | Jun 23, 2026 |
| CVE-2026-54012 | HIGH | 7.1 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, … | Jun 23, 2026 |
| CVE-2026-54011 | HIGH | 8.7 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6,Open WebUI renders Mermaid blocks from Markdown files in the … | Jun 23, 2026 |
| CVE-2026-54010 | HIGH | 8.3 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated user attach arbitrary file_id … | Jun 23, 2026 |
| CVE-2026-54009 | MEDIUM | 6.5 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/chat/completions accepts an image_url.url value that, when it … | Jun 23, 2026 |
| CVE-2026-54008 | HIGH | 8.5 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, backend/open_webui/utils/oauth.py::_process_picture_url calls validate_url(picture_url) on the initial URL only, then … | Jun 23, 2026 |