CVE-2021-33210

An issue was discovered in Fimer Aurora Vision before 2.97.10. An attacker can in the WebUI obtain plant information without authentication by reading the response of APIs from a kiosk view of a plant...

CVE-2022-23869

In RuoYi v4.7.2 through the WebUI, user test1 does not have permission to reset the password of user test3, but the password of user test3 can be reset through the /system/user/resetPwd request...

CVE-2020-7116

The ClearPass Policy Manager WebUI administrative interface has an authenticated command remote execution. When the attacker is already authenticated to the administrative interface, they could then exploit the system, leading to remote command execution in the underlying operating system...

PT-2026-1995

Name of the Vulnerable Software and Affected Versions Open WebUI affected versions not specified Description A flaw exists in Open WebUI that allows remote attackers to execute arbitrary code. Authentication is required to exploit this issue. The vulnerability is located within the install...

(0Day) Open WebUI PIP install_frontmatter_requirements Command Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the installfrontmatterrequirements function.The issue results from the lack of proper validation ...

(0Day) Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the loadtoolmodulebyid function. The issue results from the lack of proper validation of a...

EUVD-2026-1353

Malicious code in @bingads-webui-component-legacy/storage npm...

CVE-2024-2362

A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises from the lack of...

CVE-2024-2366

A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstallbinding functionality in lollmscore/lollms/server/endpoints/lollmsbindinginfos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing...

CVE-2024-2358

A path traversal vulnerability in the '/applysettings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-supplied input in the configuration settings, specifically within the 'extensions' parameter...

GHSA-887C-MR87-CXWP vulnerabilities

Vulnerabilities for packages: open-webui...

CVE-2025-66019 vulnerabilities

Vulnerabilities for packages: open-webui...

CVE-2025-3730 vulnerabilities

Vulnerabilities for packages: open-webui...

GHSA-887C-MR87-CXWP vulnerabilities

Vulnerabilities for packages: py3.11-pytorch-cuda-11.8, py3-torch-cuda-12.8...

CVE-2025-3730 vulnerabilities

Vulnerabilities for packages: py3.11-pytorch-cuda-11.8, py3-torch-cuda-12.8...

PT-2026-25819

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.2 Description Glances, a system cross-platform monitoring tool, had insufficient host validation in its main REST/WebUI FastAPI application prior to version 4.5.2. This allowed the REST API, WebUI, and token...

GHSA-428G-F7CQ-PGP5 vulnerabilities

Vulnerabilities for packages: ggshield, open-webui, superset, airflow...

CVE-2025-68480 vulnerabilities

Vulnerabilities for packages: ggshield, py3-marshmallow, airflow, open-webui, airflow-core, superset...

EUVD-2025-204307

An authentication bypass vulnerability exists in Open-WebUI =0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers...

CVE-2025-63391

An authentication bypass vulnerability exists in Open-WebUI =0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers...