Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

21813
Total
1557
Critical
6628
High
6957
Medium
CVE ID Severity Score Description Published
CVE-2026-54257 UNKNOWN Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 42.3.1 until 42.3.3, Buffer performs incorrect byte length calculations resulting … Jun 23, 2026
CVE-2026-54157 CRITICAL 9.0 LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com … Jun 23, 2026
CVE-2026-54022 MEDIUM 5.3 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the ydoc:document:join Socket.IO handler checks note ownership only when … Jun 23, 2026
CVE-2026-54021 MEDIUM 6.3 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied … Jun 23, 2026
CVE-2026-54019 MEDIUM 6.5 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI added collection-level ACL checks, but the patch … Jun 23, 2026
CVE-2026-54018 HIGH 7.7 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the SafePlaywrightURLLoader implements a validate_url function to prevent SSRF … Jun 23, 2026
CVE-2026-54016 MEDIUM 4.3 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI has a Broken Object Level Authorization (BOLA) … Jun 23, 2026
CVE-2026-54015 MEDIUM 6.4 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI's prompt version-history endpoints authorize the prompt_id in … Jun 23, 2026
CVE-2026-54014 MEDIUM 4.3 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, a path traversal vulnerability exists in open-webui's cache file … Jun 23, 2026
CVE-2026-54013 HIGH 7.6 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI patched SVG XSS in user profile images … Jun 23, 2026
CVE-2026-54012 HIGH 7.1 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, … Jun 23, 2026
CVE-2026-54011 HIGH 8.7 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6,Open WebUI renders Mermaid blocks from Markdown files in the … Jun 23, 2026
CVE-2026-54010 HIGH 8.3 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated user attach arbitrary file_id … Jun 23, 2026
CVE-2026-54009 MEDIUM 6.5 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/chat/completions accepts an image_url.url value that, when it … Jun 23, 2026
CVE-2026-54008 HIGH 8.5 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, backend/open_webui/utils/oauth.py::_process_picture_url calls validate_url(picture_url) on the initial URL only, then … Jun 23, 2026
CVE-2026-54007 UNKNOWN Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the chat message listener allows non-same-origin input:prompt and action:submit … Jun 23, 2026
CVE-2026-54006 MEDIUM 4.3 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/v1/calendars/events/{event_id}/update validates that the caller has write access … Jun 23, 2026
CVE-2026-53662 CRITICAL 9.6 immich is a high performance self-hosted photo and video management solution. From commit 4ffa26c9 until 4eb1003, a reflected cross-site scripting (XSS) vulnerability on the /auth/login … Jun 23, 2026
CVE-2026-52846 MEDIUM 4.2 Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from … Jun 23, 2026
CVE-2026-52845 HIGH 8.1 Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the … Jun 23, 2026
CVE-2026-52844 HIGH 7.5 Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but … Jun 23, 2026
CVE-2026-50221 UNKNOWN In OpenStack Swift before 2.37.2, proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwarding them to object-servers. An … Jun 23, 2026
CVE-2026-49983 MEDIUM 5.2 Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, … Jun 23, 2026
CVE-2026-49860 MEDIUM 5.2 Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules … Jun 23, 2026
CVE-2026-49859 MEDIUM 5.2 Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did … Jun 23, 2026