Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-56398

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-15 Jul, 2026 | 11:25
Updated At-15 Jul, 2026 | 13:25
Rejected At-
Credits

Open WebUI - Stored Cross-Site Scripting via OAuth Picture Claim SVG Data URI

Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs. Authenticated users who visit the profile image endpoint receive attacker-controlled SVG content with inline disposition and no default security headers, enabling script execution in the same origin to steal authentication tokens and achieve account takeover.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:15 Jul, 2026 | 11:25
Updated At:15 Jul, 2026 | 13:25
Rejected At:
▼CVE Numbering Authority (CNA)
Open WebUI - Stored Cross-Site Scripting via OAuth Picture Claim SVG Data URI

Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs. Authenticated users who visit the profile image endpoint receive attacker-controlled SVG content with inline disposition and no default security headers, enabling script execution in the same origin to steal authentication tokens and achieve account takeover.

Affected Products
Vendor
open-webui
Product
open-webui
Default Status
unaffected
Versions
Affected
  • From 0 before 0.9.5 (semver)
Unaffected
  • 0.9.5 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-20Improper Input Validation
Type: CWE
CWE ID: CWE-20
Description: Improper Input Validation
Metrics
VersionBase scoreBase severityVector
4.08.5HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Version: 4.0
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
matte1782
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/open-webui/open-webui/security/advisories/GHSA-3wgj-c2hg-vm6q
vendor-advisory
https://www.vulncheck.com/advisories/open-webui-stored-cross-site-scripting-via-oauth-picture-claim-svg-data-uri
third-party-advisory
Hyperlink: https://github.com/open-webui/open-webui/security/advisories/GHSA-3wgj-c2hg-vm6q
Resource:
vendor-advisory
Hyperlink: https://www.vulncheck.com/advisories/open-webui-stored-cross-site-scripting-via-oauth-picture-claim-svg-data-uri
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:15 Jul, 2026 | 12:18
Updated At:16 Jul, 2026 | 20:03

Open WebUI before 0.9.5 contains a stored cross-site scripting vulnerability in the OAuth authentication flow where the picture claim URL MIME type is inferred from file extension rather than Content-Type header, allowing SVG files to bypass the profile image validator and be stored as data URIs. Authenticated users who visit the profile image endpoint receive attacker-controlled SVG content with inline disposition and no default security headers, enabling script execution in the same origin to steal authentication tokens and achieve account takeover.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.5HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary3.19.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
N/A
Type: Secondary
Version: 4.0
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Type: Primary
Version: 3.1
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

openwebui
openwebui
>>open_webui>>Versions before 0.9.5(exclusive)
cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-20Secondarydisclosure@vulncheck.com
CWE ID: CWE-20
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/open-webui/open-webui/security/advisories/GHSA-3wgj-c2hg-vm6qdisclosure@vulncheck.com
Exploit
Vendor Advisory
https://www.vulncheck.com/advisories/open-webui-stored-cross-site-scripting-via-oauth-picture-claim-svg-data-uridisclosure@vulncheck.com
Third Party Advisory
Hyperlink: https://github.com/open-webui/open-webui/security/advisories/GHSA-3wgj-c2hg-vm6q
Source: disclosure@vulncheck.com
Resource:
Exploit
Vendor Advisory
Hyperlink: https://www.vulncheck.com/advisories/open-webui-stored-cross-site-scripting-via-oauth-picture-claim-svg-data-uri
Source: disclosure@vulncheck.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

20Records found

CVE-2026-59214
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.29% / 20.51%
||
7 Day CHG~0.00%
Published-09 Jul, 2026 | 15:51
Updated-10 Jul, 2026 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open WebUI: Stored web worker XSS via Pyodide

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue authenticated same-origin requests when a victim clicks Run, which can reach admin-only endpoints and execute server-side code through configured tools. This issue is fixed in version 0.10.0.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-59216
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.31% / 22.79%
||
7 Day CHG+0.03%
Published-09 Jul, 2026 | 16:48
Updated-13 Jul, 2026 | 12:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open WebUI: Cross-user code-interpreter and tool execution via unvalidated Socket.IO event-caller session_id

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, get_event_call delivered execute:python and execute:tool Socket.IO events to a client-supplied session_id after checking only that the session was connected, allowing authenticated users who learned another socket ID through ydoc:document:join to run code interpreter Python or tools in that user session. This issue is fixed in version 0.10.0.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-44721
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.31% / 22.74%
||
7 Day CHG~0.00%
Published-15 May, 2026 | 20:02
Updated-19 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open WebUI: Stored XSS via Model Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspace.models) to execute arbitrary JavaScript in the browser of any other user (including admins) who views the malicious model in the chat UI. This vulnerability is fixed in 0.9.0.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-44549
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.32% / 23.87%
||
7 Day CHG~0.00%
Published-15 May, 2026 | 21:45
Updated-19 May, 2026 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open WebUI: Stored XSS in excel file preview

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheet_to_html to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. This vulnerability is fixed in 0.8.0.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-7053
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.6||HIGH
EPSS-0.66% / 47.44%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:11
Updated-01 Apr, 2025 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Session Fixation in open-webui/open-webui

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default `SameSite=Lax` and does not have the `Secure` flag enabled, allowing the session cookie to be sent over HTTP to a cross-origin domain. An attacker can exploit this by embedding a malicious markdown image in a chat, which, when viewed by an administrator, sends the admin's session cookie to the attacker's server. This can lead to a stealthy administrator account takeover, potentially resulting in remote code execution (RCE) due to the elevated privileges of administrator accounts.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui/open-webui
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-26193
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.20% / 9.76%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 19:15
Updated-20 Feb, 2026 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.44, aanually modifying chat history allows setting the `embeds` property on a response message, the content of which is loaded into an iFrame with a sandbox that has `allow-scripts` and `allow-same-origin` set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This enables stored XSS on the affected chat. This also triggers when the chat is in the shared format. The result is a shareable link containing the payload that can be distributed to any other users on the instance. Version 0.6.44 fixes the issue.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-26192
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.19% / 9.26%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 19:10
Updated-20 Feb, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open WebUI vulnerable to Stored XSS via iFrame in citations model

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the `html` property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponized document payload in a chat. The payload also executes when the citation is viewed on a shared chat. Version 0.7.0 fixes the issue.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-64496
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-7.87% / 94.05%
||
7 Day CHG~0.00%
Published-08 Nov, 2025 | 01:29
Updated-26 Nov, 2025 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui
CWE ID-CWE-501
Trust Boundary Violation
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CWE ID-CWE-830
Inclusion of Web Functionality from an Untrusted Source
CWE ID-CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CVE-2026-45317
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.17% / 6.04%
||
7 Day CHG~0.00%
Published-15 May, 2026 | 21:29
Updated-18 May, 2026 | 20:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open WebUI: Cross-Site Request Forgery (CSRF) via Image URL Manipulation

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerability, and any user who views the compromised image (e.g., a profile picture) will unknowingly send a GET request to the attacker-controlled URL. This can lead to cookie theft, denial of service (DoS), or other malicious actions. This vulnerability is fixed in 0.9.3.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-34157
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-9.4||CRITICAL
EPSS-0.45% / 36.26%
||
7 Day CHG~0.00%
Published-27 Aug, 2025 | 16:48
Updated-14 Jul, 2026 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Coolify Stored Cross-Site Scripting (XSS) in Project Name Field

Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers.

Action-Not Available
Vendor-coollabscoolLabs Technologies
Product-coolifyCoolify
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-43566
Matching Score-4
Assigner-Splunk Inc.
ShareView Details
Matching Score-4
Assigner-Splunk Inc.
CVSS Score-7.3||HIGH
EPSS-0.78% / 51.76%
||
7 Day CHG~0.00%
Published-04 Nov, 2022 | 22:21
Updated-05 May, 2025 | 20:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Risky command safeguards bypass via Search ID query in Analytics Workspace in Splunk Enterprise

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more privileged user’s permissions to bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards  in the Analytics Workspace. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.

Action-Not Available
Vendor-Splunk LLC (Cisco Systems, Inc.)
Product-splunksplunk_cloud_platformSplunk Enterprise
CWE ID-CWE-20
Improper Input Validation
CVE-2023-30535
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-1.67% / 74.17%
||
7 Day CHG~0.00%
Published-14 Apr, 2023 | 19:30
Updated-06 Feb, 2025 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Snowflake JDBC vulnerable to command injection via SSO URL authentication

Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Users of the Snowflake JDBC driver were vulnerable to a command injection vulnerability. An attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. The vulnerability was patched on March 17, 2023 as part of Snowflake JDBC driver Version 3.13.29. All users should immediately upgrade the Snowflake JDBC driver to the latest version: 3.13.29.

Action-Not Available
Vendor-snowflakesnowflakedb
Product-snowflake_jdbcsnowflake-jdbc
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-38216
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.2||HIGH
EPSS-0.87% / 54.79%
||
7 Day CHG~0.00%
Published-10 Sep, 2024 | 16:53
Updated-31 Dec, 2024 | 23:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure Stack Hub Elevation of Privilege Vulnerability

Azure Stack Hub Elevation of Privilege Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_stack_hubAzure Stack Hub
CWE ID-CWE-20
Improper Input Validation
CVE-2026-33844
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9||CRITICAL
EPSS-0.99% / 58.56%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 20:58
Updated-19 Jun, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_managed_instance_for_apache_cassandraAzure Managed Instance for Apache Cassandra
CWE ID-CWE-20
Improper Input Validation
CVE-2026-27702
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.9||CRITICAL
EPSS-0.34% / 25.67%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 15:11
Updated-02 Mar, 2026 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)

Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch.

Action-Not Available
Vendor-budibaseBudibase
Product-budibasebudibase
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CVE-2026-23880
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.23% / 13.24%
||
7 Day CHG~0.00%
Published-19 Jan, 2026 | 20:55
Updated-26 Jan, 2026 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OnboardLite has stored Cross-site Scripting issue that may lead to admin Account Take Over

OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue.

Action-Not Available
Vendor-HackUCF
Product-OnboardLite
CWE ID-CWE-116
Improper Encoding or Escaping of Output
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-22934
Matching Score-4
Assigner-Splunk Inc.
ShareView Details
Matching Score-4
Assigner-Splunk Inc.
CVSS Score-7.3||HIGH
EPSS-1.12% / 62.57%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 17:22
Updated-28 Feb, 2025 | 11:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SPL Command Safeguards Bypass via the ‘pivot’ SPL Command in Splunk Enterprise

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets a search bypass SPL safeguards for risky commands using a saved search job. The vulnerability requires an authenticated user to craft the saved job and a higher privileged user to initiate a request within their browser.

Action-Not Available
Vendor-Splunk LLC (Cisco Systems, Inc.)
Product-splunksplunk_cloud_platformSplunk Cloud PlatformSplunk Enterprisesplunksplunk_cloud_platform
CWE ID-CWE-20
Improper Input Validation
CVE-2024-36053
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9||CRITICAL
EPSS-1.05% / 60.41%
||
7 Day CHG~0.00%
Published-19 May, 2024 | 15:16
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the mintupload package through 4.2.0 for Linux Mint, service-name mishandling leads to command injection via shell metacharacters in check_connection, drop_data_received_cb, and Service.remove. A user can modify a service name in a ~/.linuxmint/mintUpload/services/service file.

Action-Not Available
Vendor-n/alinuxmint
Product-n/amintupload
CWE ID-CWE-20
Improper Input Validation
CVE-2025-67493
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.27% / 18.55%
||
7 Day CHG+0.01%
Published-17 Dec, 2025 | 21:09
Updated-22 May, 2026 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Homarr: missing input sanitization and possible privilege escalation through ldap search query injection

Homarr is an open-source dashboard. Prior to version 1.45.3, it was possible to craft an input which allowed privilege escalation and getting access to groups of other users due to missing sanitization of inputs in ldap search query. The vulnerability could impact all instances using ldap authentication where a malicious actor had access to a user account. Version 1.45.3 has a patch for the issue.

Action-Not Available
Vendor-homarrhomarr-labs
Product-homarrhomarr
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-90
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CVE-2020-7869
Matching Score-4
Assigner-KrCERT/CC
ShareView Details
Matching Score-4
Assigner-KrCERT/CC
CVSS Score-9||CRITICAL
EPSS-1.61% / 73.20%
||
7 Day CHG~0.00%
Published-29 Jun, 2021 | 13:48
Updated-04 Aug, 2024 | 09:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper input validation vulnerability of ZOOK software (remote administration tool) could allow a remote attacker to create arbitrary file. The ZOOK viewer has the "Tight file CMD" function to create file. An attacker could create and execute arbitrary file in the ZOOK agent program using "Tight file CMD" without authority.

Action-Not Available
Vendor-mastersoftmastersoftMicrosoft Corporation
Product-windowszookZOOK
CWE ID-CWE-20
Improper Input Validation
Details not found