Lucene search
+L

75 matches found

EUVD
EUVD
added 2026/05/15 9:40 p.m.21 views

EUVD-2026-30640

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.10, when uploading an audio file, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with nam...

8.1CVSS5.8AI score0.00454EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/15 9:30 p.m.7 views

CVE-2026-45316

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/id/pin endpoint performs a write operation toggling the ispinned field but only checks for read permission. Users with read-only access to a shared note can...

3.5CVSS5.8AI score0.00218EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/05/15 9:29 p.m.19 views

EUVD-2026-30658

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery CSRF vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint,...

4.6CVSS5.8AI score0.00165EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/15 9:28 p.m.15 views

EUVD-2026-30659

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview XSS CVE-2026-44549. The same root cause — XLSX.utils.sheettohtml output rendered via @html excelHtml without DOMPurify ...

7.3CVSS5.8AI score0.00318EPSS
Exploits2References1
Vulnrichment
Vulnrichment
added 2026/05/15 9:21 p.m.12 views

CVE-2026-45303 Open WebUI: Stored XSS via the HTML renedering view

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

7.7CVSS5.9AI score0.00217EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/15 9:21 p.m.22 views

EUVD-2026-30654

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

7.7CVSS5.9AI score0.00217EPSS
Exploits1References1
OSV
OSV
added 2026/05/15 9:21 p.m.5 views

CVE-2026-45303 Open WebUI: Stored XSS via the HTML renedering view

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

7.7CVSS7.1AI score0.00217EPSS
Exploits1References3
EUVD
EUVD
added 2026/05/15 9:19 p.m.16 views

EUVD-2026-30653

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. This...

8.1CVSS5.8AI score0.00273EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/15 9:19 p.m.9 views

CVE-2026-45301

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. This...

8.1CVSS5.8AI score0.00273EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/15 9:17 p.m.6 views

CVE-2026-45345

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This...

6.5CVSS5.8AI score0.00226EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/05/15 9:16 p.m.23 views

CVE-2026-45397

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every adjacent endpoint on...

5.3CVSS0.0072EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/15 9:15 p.m.14 views

EUVD-2026-30651

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation. This vulnerability is fixed in 0.6.31...

5.1CVSS5.8AI score0.00165EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/15 9:12 p.m.19 views

EUVD-2026-30648

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.11, there is a blind server side request forgery SSRF via the PDF generate function. In the PDF export, user inputs are interpreted as HTML and embedded into the PDF. According to tests...

4.3CVSS5.8AI score0.00186EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/15 9:5 p.m.17 views

EUVD-2026-30642

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memories...

8.3CVSS5.8AI score0.00294EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/15 9:5 p.m.7 views

CVE-2026-44570

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memories...

8.3CVSS5.8AI score0.00294EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/05/15 9:3 p.m.21 views

EUVD-2026-30644

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, there's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability...

7.1CVSS5.8AI score0.00266EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/15 9:1 p.m.5 views

CVE-2026-44566

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, when attaching files to a promp, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with...

7.3CVSS5.8AI score0.00336EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/15 8:59 p.m.8 views

CVE-2026-44567

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is...

7.3CVSS5.8AI score0.0023EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/05/15 8:55 p.m.49 views

CVE-2026-45672

Open WebUI CVE-2026-45672 affects the /api/v1/utils/code/execute endpoint, where arbitrary Python code can be executed via Jupyter for any verified user even when ENABLE_CODE_EXECUTION is false. The feature gate is not enforced at the API level, so code execution is possible despite the admin set...

8.8CVSS6AI score0.00406EPSS
Exploits2References1Affected Software1
EUVD
EUVD
added 2026/05/15 8:40 p.m.14 views

EUVD-2026-30636

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability. This vulnerability is fixed in 0.9.5...

8.5CVSS5.8AI score0.00292EPSS
Exploits1References1
Rows per page
Query Builder