❌

Normal view

Received today β€” 7 April 2026 ⏭ Vulnerabilities
Received β€” 3 April 2026 ⏭ Vulnerabilities

SEC Consult SA-20260401-0 :: Broken Access Control in Open WebUI

βœ‡Full Disclosure
3 April 2026 at 03:55

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 02

SEC Consult Vulnerability Lab Security Advisory < 20260401-0 >
=======================================================================
title: Broken Access Control
Β  Β  Β  Β  Β  Β  product: Open WebUI
Β vulnerable version: <v0.8.11
Β  Β  Β  fixed version: v0.8.11
CVE number: CVE-2026-34222
Β  Β  Β  Β  Β  Β  Β impact: high
homepage:https://openwebui.com
Β  Β  Β  Β  Β  Β  Β  found: 2026-02-06...

SEC Consult SA-20260326-0 :: Local Privilege Escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library

βœ‡Full Disclosure
3 April 2026 at 03:55

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 02

SEC Consult Vulnerability Lab Security Advisory < 20260326-0 >
=======================================================================
title: Local Privilege Escalation
product: Vienna Assistant (MacOS) - Vienna Symphonic Library
Β vulnerable version: 1.2.542
fixed version: -
CVE number: CVE-2026-24068
Β  Β  Β  Β  Β  Β  Β impact: high
homepage:https://www.vsl.co.at/
Β  Β  Β  Β  Β ...

Apple OHTTP Relay: 14 Third-Party Endpoints, 6 Countries, Zero User Visibility

βœ‡Full Disclosure
3 April 2026 at 03:54

Posted by Joseph Goydish II via Fulldisclosure on Apr 02

SUMMARY

Apple's Oblivious HTTP relay for Live Caller ID Lookup (iOS 18+) routes
traffic through 14 third-party endpoints across six countries. These include
an anonymous Delaware LLC sharing data with OpenAI, a Russian endpoint
(Yandex), and a Swiss GmbH whose privacy policy names "The Legal Entity to
be Confirmed" as its data controller. None of this is disclosed to users.

This is shared infrastructure. All devices using Live...

[KIS-2026-06] MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability

βœ‡Full Disclosure
3 April 2026 at 03:53

Posted by Egidio Romano on Apr 02

---------------------------------------------------------------------------
MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability
---------------------------------------------------------------------------

[-] Software Link:

https://www.metinfo.cn

[-] Affected Versions:

Versions 7.9, 8.0, and 8.1.

[-] Vulnerability Description:

The vulnerable code is located into the...

[CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability

βœ‡Full Disclosure
3 April 2026 at 03:52

Posted by cyber security on Apr 02

A vulnerability was identified in OWASP CRS where whitespace padding
in filenames can bypass file upload extension checks, allowing uploads
of dangerous files such as .php, .phar, .jsp, and .jspx. This issue
has been assigned CVE‑2026‑33691.

Impact: Attackers may evade CRS protections and upload web shells
disguised with whitespace‑padded extensions. Exploitation is most
practical on Windows backends that normalize whitespace in filenames...
Received β€” 29 March 2026 ⏭ Vulnerabilities

APPLE-SA-03-24-2026-10 Xcode 26.4

βœ‡Full Disclosure
29 March 2026 at 03:11

Posted by Apple Product Security via Fulldisclosure on Mar 28

APPLE-SA-03-24-2026-10 Xcode 26.4

Xcode 26.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126801.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

otool
Available for: macOS Tahoe 26.2 and later
Impact: An app may be able to cause unexpected system termination
Description: An...

APPLE-SA-03-24-2026-9 Safari 26.4

βœ‡Full Disclosure
29 March 2026 at 03:11

Posted by Apple Product Security via Fulldisclosure on Mar 28

APPLE-SA-03-24-2026-9 Safari 26.4

Safari 26.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126800.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may prevent Content
Security...

APPLE-SA-03-24-2026-8 visionOS 26.4

βœ‡Full Disclosure
29 March 2026 at 03:11

Posted by Apple Product Security via Fulldisclosure on Mar 28

APPLE-SA-03-24-2026-8 visionOS 26.4

visionOS 26.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126799.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

802.1X
Available for: Apple Vision Pro (all models)
Impact: An attacker in a privileged network position may be able to
intercept...

APPLE-SA-03-24-2026-7 watchOS 26.4

βœ‡Full Disclosure
29 March 2026 at 03:11

Posted by Apple Product Security via Fulldisclosure on Mar 28

APPLE-SA-03-24-2026-7 watchOS 26.4

watchOS 26.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126798.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

802.1X
Available for: Apple Watch Series 6 and later
Impact: An attacker in a privileged network position may be able to
intercept...

APPLE-SA-03-24-2026-6 tvOS 26.4

βœ‡Full Disclosure
29 March 2026 at 03:11

Posted by Apple Product Security via Fulldisclosure on Mar 28

APPLE-SA-03-24-2026-6 tvOS 26.4

tvOS 26.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/126797.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

802.1X
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An attacker in a privileged network position may be able to
intercept...
❌