This page offers a live ATOM feed of the latest CVEs and Vulnerabilities from cvefeed.io. HIGH or CRITICAL
- CVE-2026-45665 - Open WebUI: Stored XSS in Banner Component via Improper Sanitization Order
- CVE-2026-45315 - Open WebUI: Stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
- CVE-2026-44570 - Open WebUI: Inconsistent authorization controls within memories API
- CVE-2026-44565 - Open WebUI: Open WebUI Arbitrary File Write, Delete via Path Traversal
- CVE-2026-8696 - radare2 6.1.5 Use-After-Free via gdbr_pids_list()
- CVE-2026-45400 - Open WebUI: Server-Side Request Forgery (SSRF) bypass in `validate_url`
- CVE-2026-45671 - Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
- CVE-2026-45331 - Open WebUI: Full SSRF Vulnerability in the RAG Web Search Feature
- CVE-2026-44551 - Open WebUI: LDAP Empty Password Authentication Bypass
- CVE-2026-8686 - DoS from MQTT v5.0 Deserialization Fault in core MQTT
- CVE-2026-46407 - Vvveb: admin/auth-token IDOR allows unauthorized disclosure of administrator REST API tokens
- CVE-2026-46364 - phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha
- CVE-2026-45800 - Vvveb: Authenticated SQL injection in /user/orders via order_by and direction
- CVE-2026-45010 - phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint
- CVE-2021-47964 - Schlix CMS 2.2.6-6 Remote Code Execution via core.blockmanager