Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

2982 matches found

OSV
OSVadded 2024/10/09 9:31 p.m.9 views

GHSA-XCVC-5HGV-PHQG open-webui Insecure Direct Object Reference (IDOR) vulnerability

An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...

7.1CVSS6.4AI score0.00357EPSS
Exploits1References4
NVD
NVDadded 2024/10/09 8:15 p.m.20 views

CVE-2024-7037

In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHEDIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote cod...

7.2CVSS0.01032EPSS
Exploits1References1
OSV
OSVadded 2024/10/09 8:15 p.m.5 views

CVE-2024-7037

In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHEDIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote cod...

7.2CVSS7.3AI score
Exploits0References1
OSV
OSVadded 2024/10/09 8:15 p.m.4 views

CVE-2024-7041

An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...

6.5CVSS7AI score
Exploits0References1
Vulnrichment
Vulnrichmentadded 2024/10/09 7:57 p.m.14 views

CVE-2024-7041 IDOR in open-webui/open-webui

An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...

6.5CVSS6.8AI score0.00357EPSS
Exploits1References1
CVE
CVEadded 2024/10/09 7:57 p.m.73 views

CVE-2024-7041

CVE-2024-7041 affects open-webui/open-webui v0.3.8, with an Insecure Direct Object Reference (IDOR) in the API endpoint /api/v1/memories/{id}/update. The flaw stems from inadequate access controls, allowing an attacker to edit other users’ memories without proper authorization. Public/connected s...

6.5CVSS6.4AI score0.00357EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichmentadded 2024/10/09 7:52 p.m.16 views

CVE-2024-7037 Arbitrary File Write/Delete Leading to RCE in open-webui/open-webui

In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHEDIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote cod...

6.5CVSS7.8AI score0.01032EPSS
Exploits1References1
Cvelist
Cvelistadded 2024/10/09 7:52 p.m.18 views

CVE-2024-7037 Arbitrary File Write/Delete Leading to RCE in open-webui/open-webui

In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHEDIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote cod...

6.5CVSS0.01032EPSS
Exploits1References1
CVE
CVEadded 2024/10/09 7:52 p.m.79 views

CVE-2024-7037

Open WebUI project (open-webui) v0.3.8 has a path traversal/Arbitrary File Write and Delete vulnerability in the /api/pipelines/upload endpoint caused by unsanitized file.filename concatenation with CACHE_DIR. This allows an attacker to overwrite or delete system files and could lead to remote co...

7.2CVSS7AI score0.01032EPSS
Exploits1References1Affected Software1
OSV
OSVadded 2024/10/09 7:15 p.m.2 views

CVE-2024-7038

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...

2.7CVSS5.8AI score
Exploits0References1
NVD
NVDadded 2024/10/09 7:15 p.m.28 views

CVE-2024-7038

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...

2.7CVSS0.00336EPSS
Exploits1References1
CVE
CVEadded 2024/10/09 6:26 p.m.54 views

CVE-2024-7038

CVE-2024-7038 describes an information disclosure in open-webui v0.3.8 where the embedding model update feature under admin settings reveals different error messages based on file existence/configuration. This enables an attacker to enumerate file names and traverse directories, exposing sensitiv...

2.7CVSS3.2AI score0.00336EPSS
Exploits1References1Affected Software1
Cvelist
Cvelistadded 2024/10/09 6:26 p.m.39 views

CVE-2024-7038 Information Disclosure in open-webui/open-webui

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...

2.7CVSS0.00336EPSS
Exploits1References1
Vulnrichment
Vulnrichmentadded 2024/10/09 6:26 p.m.15 views

CVE-2024-7038 Information Disclosure in open-webui/open-webui

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...

2.7CVSS6.3AI score0.00336EPSS
Exploits1References1
Positive Technologies
Positive Technologiesadded 2024/10/09 12:0 a.m.5 views

PT-2024-38041 · Unknown · Open-Webui

Name of the Vulnerable Software and Affected Versions: open-webui/open-webui version v0.3.8 Description: An Insecure Direct Object Reference IDOR vulnerability exists, occurring in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update. The decentralization design is flawed, allowing...

6.5CVSS6.2AI score0.00357EPSS
Exploits1References9
CNNVD
CNNVDadded 2024/10/09 12:0 a.m.4 views

Open WebUI 信息泄露漏洞

Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. An information disclosure vulnerability exists in Open WebUI version v0.3.8, which stems from the presence of an information disclosure vulnerability that allows an attacker to disclose sensiti...

2.7CVSS3.5AI score0.00336EPSS
Exploits1References2
CNNVD
CNNVDadded 2024/10/09 12:0 a.m.5 views

Open WebUI 路径遍历漏洞

Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. A path traversal vulnerability exists in Open WebUI version v0.3.8 that stems from vulnerability to arbitrary file write and delete attacks, allowing an attacker to overwrite and delete system...

7.2CVSS7.1AI score0.01032EPSS
Exploits1References2
CNNVD
CNNVDadded 2024/10/09 12:0 a.m.4 views

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. A security vulnerability exists in Open WebUI version v0.3.8 that stems from the presence of an insecure direct object reference IDOR vulnerability that allows an attacker to edit another user'...

6.5CVSS6.4AI score0.00357EPSS
Exploits1References2
Positive Technologies
Positive Technologiesadded 2024/10/09 12:0 a.m.7 views

PT-2024-38043 · Unknown · Open-Webui

Name of the Vulnerable Software and Affected Versions: open-webui version v0.3.8 Description: The issue is related to improper privilege management in the API endpoints "GET /api/v1/documents/" and "POST /rag/api/v1/doc". This allows a lower-privileged user to access and overwrite files managed b...

6.3CVSS6.2AI score0.00362EPSS
Exploits1References8
OSV
OSVadded 2024/09/30 8:15 a.m.2 views

CVE-2024-6394

A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the servejs function in app.py, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files ...

7.5CVSS7.5AI score
Exploits0References1
Rows per page
Query Builder