CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A vulnerability in the Ash library allows an attacker to set the value of a private action argument that should only be controlled by trusted server-side code. The filtering of private arguments is incomplete – in the changeset path only atom keys are stripped, and in the atomic path they are not stripped at all.
The @rtk-ai/rtk-rewrite plugin version 1.0.0 fails to sanitize user input before passing it to a shell-backed execSync() template string, allowing arbitrary OS command injection. JSON.stringify() does not protect against shell metacharacters like $() and backticks, which are executed by /bin/sh -c.
In versions prior to 0.186, Daytona's sandbox volume reference (volumeId) was forwarded to the runner, potentially allowing unauthorized access to paths outside the intended base directory. The use of path-traversal sequences could enable the construction of the host bind-mount source path without proper confinement.
GNU libidn before version 1.44 is vulnerable to out-of-bounds reads of uninitialized memory in the ToUnicode APIs due to mishandling in the idna_to_unicode_internal function. The vulnerable code is not present in libidn2.
A vulnerability in Deno before version 2.7.5 allows a remote WebSocket server to crash the Deno process by sending a response with Sec-WebSocket-Protocol or Sec-WebSocket-Extensions headers containing non-printable ASCII bytes (0x80-0xFF). The flaw is due to improper parsing of these headers, causing a panic that terminates the entire process.
In Daytona, prior to version 0.185.0, there was a cross-tenant authorization flaw in the notification WebSocket gateway that allowed authenticated users to subscribe to another organization's real-time notification channels.
In versions prior to 0.185.0, the git clone implementation in the Daytona daemon disabled TLS certificate verification. This allowed attackers to intercept traffic and steal Git credentials.
In Open WebUI prior to version 0.8.11, there is a vulnerability that allows an attacker to bypass authorization checks when joining a document room. By manipulating the document identifier, the attacker can access the victim's private note contents.
Open WebUI before version 0.9.6 has a vulnerability in Ollama proxy routes where the url_idx parameter is used as a raw index into the OLLAMA_BASE_URLS list. An authenticated user can force a request to any Ollama backend, including internal, privileged, or admin-disabled ones, without proper authorization.
Open WebUI is a self-hosted artificial intelligence platform that prior to version 0.9.6 added collection-level ACL checks. However, in Milvus multitenancy mode, these checks can be bypassed, leading to potential unauthorized access to resources.
Open WebUI is a self-hosted artificial intelligence platform that prior to version 0.9.6 had a Broken Object Level Authorization (BOLA) vulnerability in the search_knowledge_files tool. This allows an authenticated user to access metadata from private or restricted knowledge base files without proper permissions.
Open WebUI prior to version 0.9.6 has a vulnerability that allows authenticated users to access the private prompt history of other users. The issues occur in the version history endpoints that do not verify if the history entry belongs to the correct prompt.
In Open WebUI prior to version 0.9.6, a path traversal vulnerability exists in the cache file serving endpoint that allows authenticated users to read files from sibling directories outside the intended cache directory.
In Open WebUI prior to version 0.9.6, a vulnerability allows an authenticated user to access other users' files by manipulating the image_url.url parameter in the POST /api/chat/completions request. If this value does not start with http://, https://, or data:image/, it is interpreted as a file id, allowing access to the file content without permission checks.
Open WebUI before version 0.9.6 has a vulnerability where the chat message listener accepts `input:prompt` and `action:submit` messages from non-same-origin sources. An external site can set prompt text and trigger `submitPrompt()` in an authenticated victim session, leading to unauthorized POST requests to API endpoints.
In Open WebUI prior to version 0.9.6, there is a vulnerability that allows regular user-role accounts to move events between other users' calendars without proper permissions. This vulnerability stems from the lack of validation of the destination calendar_id in the event update request.
Caddy before version 2.11.4 has a vulnerability in the stripHTML template function that cannot reliably remove all HTML tags from input strings. Malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output.
In OpenStack Swift before version 2.37.2, the proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwarding them to object-servers. An authenticated user with write access can inject these headers to redirect container update requests to an attacker-controlled server, enabling server-side request forgery (SSRF).
In Deno prior to 2.8.1, the process.loadEnvFile() function does not honor environment permission restrictions (--deny-env). It allows writing variables from a .env file into the process even when environment access is denied.
In Deno prior to 2.8.1, when a WebSocket connection was opened, only the destination hostname was checked against --deny-net rules, but the IP addresses that hostname resolved to were not re-checked. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely.

