5.3
CVE-2026-35484 - text-generation-webui has a Path Traversal in load_preset() β .yaml file read without authentication
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_preset() allows reading any .yaml file on the server filesystem. The parsed YAML key-value pairs (including passwords, API keys, connection β¦
5.3
CVE-2026-35483 - text-generation-webui has a Path Traversal in load_template() β .jinja/.yaml/.yml file read withoutβ¦
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_template() allows reading files with .jinja, .jinja2, .yaml, or .yml extensions from anywhere on the server filesystem. For .jinja files theβ¦
6.2
CVE-2026-35480 - go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers aβ¦
7.5
CVE-2026-35464 - pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file β¦
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because theβ¦
8.8
CVE-2026-35463 - pyLoad has Improper Neutralization of Special Elements used in an OS Command
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_ONLY_OPTIONS protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is only apβ¦
4.3
CVE-2026-35462 - Papra Does Not Reject Expired API Keys
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key β regardless of its expiration date β is accepted indefinitely, allowing a user whose key has expired β¦
5
CVE-2026-35461 - Papra has a Blind Server-Side Request Forgery (SSRF) via Webhook URL
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, inβ¦
4.3
CVE-2026-35460 - Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected intβ¦
8.7
CVE-2026-35458 - Gotenberg has a ReDoS via extraHttpHeaders scope feature
Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.
7.5
CVE-2026-33034 - Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request bβ¦