CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-55736
Medium

A vulnerability in the Ash library allows an attacker to set the value of a private action argument that should only be controlled by trusted server-side code. The filtering of private arguments is incomplete – in the changeset path only atom keys are stripped, and in the atomic path they are not stripped at all.

CVE-2026-55249
Medium

The @rtk-ai/rtk-rewrite plugin version 1.0.0 fails to sanitize user input before passing it to a shell-backed execSync() template string, allowing arbitrary OS command injection. JSON.stringify() does not protect against shell metacharacters like $() and backticks, which are executed by /bin/sh -c.

CVE-2026-54319
Medium

In versions prior to 0.186, Daytona's sandbox volume reference (volumeId) was forwarded to the runner, potentially allowing unauthorized access to paths outside the intended base directory. The use of path-traversal sequences could enable the construction of the host bind-mount source path without proper confinement.

CVE-2026-57053
Medium

GNU libidn before version 1.44 is vulnerable to out-of-bounds reads of uninitialized memory in the ToUnicode APIs due to mishandling in the idna_to_unicode_internal function. The vulnerable code is not present in libidn2.

CVE-2026-55517
Medium

A vulnerability in Deno before version 2.7.5 allows a remote WebSocket server to crash the Deno process by sending a response with Sec-WebSocket-Protocol or Sec-WebSocket-Extensions headers containing non-printable ASCII bytes (0x80-0xFF). The flaw is due to improper parsing of these headers, causing a panic that terminates the entire process.

CVE-2026-54324
Medium

In Daytona, prior to version 0.185.0, there was a cross-tenant authorization flaw in the notification WebSocket gateway that allowed authenticated users to subscribe to another organization's real-time notification channels.

CVE-2026-54323
Medium

In versions prior to 0.185.0, the git clone implementation in the Daytona daemon disabled TLS certificate verification. This allowed attackers to intercept traffic and steal Git credentials.

CVE-2026-54022
Medium

In Open WebUI prior to version 0.8.11, there is a vulnerability that allows an attacker to bypass authorization checks when joining a document room. By manipulating the document identifier, the attacker can access the victim's private note contents.

CVE-2026-54021
Medium

Open WebUI before version 0.9.6 has a vulnerability in Ollama proxy routes where the url_idx parameter is used as a raw index into the OLLAMA_BASE_URLS list. An authenticated user can force a request to any Ollama backend, including internal, privileged, or admin-disabled ones, without proper authorization.

CVE-2026-54019
Medium

Open WebUI is a self-hosted artificial intelligence platform that prior to version 0.9.6 added collection-level ACL checks. However, in Milvus multitenancy mode, these checks can be bypassed, leading to potential unauthorized access to resources.

CVE-2026-54016
Medium

Open WebUI is a self-hosted artificial intelligence platform that prior to version 0.9.6 had a Broken Object Level Authorization (BOLA) vulnerability in the search_knowledge_files tool. This allows an authenticated user to access metadata from private or restricted knowledge base files without proper permissions.

CVE-2026-54015
Medium

Open WebUI prior to version 0.9.6 has a vulnerability that allows authenticated users to access the private prompt history of other users. The issues occur in the version history endpoints that do not verify if the history entry belongs to the correct prompt.

CVE-2026-54014
Medium

In Open WebUI prior to version 0.9.6, a path traversal vulnerability exists in the cache file serving endpoint that allows authenticated users to read files from sibling directories outside the intended cache directory.

CVE-2026-54009
Medium

In Open WebUI prior to version 0.9.6, a vulnerability allows an authenticated user to access other users' files by manipulating the image_url.url parameter in the POST /api/chat/completions request. If this value does not start with http://, https://, or data:image/, it is interpreted as a file id, allowing access to the file content without permission checks.

CVE-2026-54007
Medium

Open WebUI before version 0.9.6 has a vulnerability where the chat message listener accepts `input:prompt` and `action:submit` messages from non-same-origin sources. An external site can set prompt text and trigger `submitPrompt()` in an authenticated victim session, leading to unauthorized POST requests to API endpoints.

CVE-2026-54006
Medium

In Open WebUI prior to version 0.9.6, there is a vulnerability that allows regular user-role accounts to move events between other users' calendars without proper permissions. This vulnerability stems from the lack of validation of the destination calendar_id in the event update request.

CVE-2026-52846
Medium

Caddy before version 2.11.4 has a vulnerability in the stripHTML template function that cannot reliably remove all HTML tags from input strings. Malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output.

CVE-2026-50221
Medium

In OpenStack Swift before version 2.37.2, the proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwarding them to object-servers. An authenticated user with write access can inject these headers to redirect container update requests to an attacker-controlled server, enabling server-side request forgery (SSRF).

CVE-2026-49983
Medium

In Deno prior to 2.8.1, the process.loadEnvFile() function does not honor environment permission restrictions (--deny-env). It allows writing variables from a .env file into the process even when environment access is denied.

CVE-2026-49860
Medium

In Deno prior to 2.8.1, when a WebSocket connection was opened, only the destination hostname was checked against --deny-net rules, but the IP addresses that hostname resolved to were not re-checked. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely.

PreviousPage 66 of 530Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS