Lucene search
K

8 matches found

Snyk
Snyk
added 2026/06/17 2:15 p.m.3 views

Protection Mechanism Failure

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Protection Mechanism Failure via the profileimageurl field in the model metadata process. An attacker can execute arbitrary JavaScript in the context of another user's session by storing a crafted SVG payload...

7.6CVSS6.1AI score0.00174EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:33 p.m.9 views

CVE-2026-45299

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, the profileimageurl field on the user profile update form accepted arbitrary data: URI values without MIME-type validation, resulting in a XSS vulnerability. This vulnerability is...

5.4CVSS5.6AI score0.00199EPSS
Exploits0References1
NVD
NVD
added 2026/05/15 10:16 p.m.39 views

CVE-2026-45299

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, the profileimageurl field on the user profile update form accepted arbitrary data: URI values without MIME-type validation, resulting in a XSS vulnerability. This vulnerability is...

5.4CVSS0.00199EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/15 9:44 p.m.19 views

EUVD-2026-30661

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, the profileimageurl field on the user profile update form accepted arbitrary data: URI values without MIME-type validation, resulting in a XSS vulnerability. This vulnerability is...

5.4CVSS5.9AI score0.00199EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/15 9:44 p.m.12 views

CVE-2026-45299 Open WebUI: Stored Cross-Site Scripting In Profile Picture

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, the profileimageurl field on the user profile update form accepted arbitrary data: URI values without MIME-type validation, resulting in a XSS vulnerability. This vulnerability is...

5.4CVSS5.9AI score0.00199EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.10 views

Open WebUI 跨站脚本漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.8.0 had a cross-site scripting vulnerability. This vulnerability stemmed from the profileimageurl field in the user profile update form accepting arbitrary data: URI...

5.4CVSS5.8AI score0.00199EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.11 views

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.3 contained a security vulnerability. This vulnerability stemmed from the channel webhook creation/update process accepting arbitrary profileimageurl values,...

7.4CVSS6AI score0.00212EPSS
Exploits1References2
OSV
OSV
added 2026/05/14 8:15 p.m.3 views

GHSA-6GH2-Q7CP-9QF6 Open WebUI has Stored Cross-Site Scripting In Profile Picture

Summary The profileimageurl field on the user profile update form accepted arbitrary data: URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters: 1. data:text/html;base64,... in a new browser tab raresvis, 2025-04-17 — when a vict...

5.4CVSS6AI score0.00199EPSS
Exploits0References4
Rows per page
Query Builder