2898 matches found
GHSA-GF5M-WCRH-7928 open-webui Vulnerable to Stored XSS via Model Description
!IMPORTANT Relationship to CVE-2024-7990 CVE-2024-7990 issued by huntr.dev, March 2025 describes a stored XSS in the same field — the model description — but exploits a different bypass mechanism: a second-order injection through the sanitizeResponseContent function's video-tag placeholder...
PT-2026-39272
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description Open WebUI allows model composition through the base model id variable, where a user-defined model can reference a base model for inference. An access control flaw exists because the system verifi...
PT-2026-39283
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.1.124 Description An improper authorization control exists where the API fails to validate if a user possesses an authorized role of user or admin. When the platform is configured to allow new sign-ups, new...
PT-2026-39275
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description The channel router fails to call the filter allowed access grants function during the creation or update of channels. This function is intended to strip unauthorized wildcard grants such as...
EUVD-2026-27995
Insufficient policy enforcement in WebUI in Google Chrome on Linux, Mac, Windows, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-41314 vulnerabilities
Vulnerabilities for packages: open-webui, nemo, litellm...
CVE-2026-41312 vulnerabilities
Vulnerabilities for packages: open-webui, nemo, litellm...
CVE-2026-42284 vulnerabilities
Vulnerabilities for packages: opal, checkov, mlflow, datahub-ingestion-fips, awx, open-webui, mlflow-fips...
CVE-2026-41205 vulnerabilities
Vulnerabilities for packages: dagster-fips, pgadmin4-fips, airflow, dagster, mlflow, open-webui, superset, nemo, airflow-core, prefect-fips, jupyter-base-notebook...
CVE-2026-41425 vulnerabilities
Vulnerabilities for packages: pgadmin4-fips, airflow, datahub-ingestion, mlflow, datahub-ingestion-fips, open-webui...
CVE-2026-7946
Insufficient policy enforcement in WebUI in Google Chrome on Linux, Mac, Windows, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-7946
Insufficient policy enforcement in WebUI in Google Chrome on Linux, Mac, Windows, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-7946
Insufficient policy enforcement in WebUI in Google Chrome on Linux, Mac, Windows, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-7946
Insufficient policy enforcement in WebUI in Google Chrome on Linux, Mac, Windows, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-7946
Insufficient policy enforcement in WebUI in Google Chrome on Linux, Mac, Windows, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. Chromium security severity: Medium...
PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI
Summary pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/ is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception for example by requesting a...
Information Exposure
Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Information Exposure via the global exception handling process in the WebUI. An attacker can obtain sensitive internal implementation details, such as stack...
CVE-2026-41313 vulnerabilities
Vulnerabilities for packages: open-webui...
CVE-2026-41312 vulnerabilities
Vulnerabilities for packages: open-webui...
CVE-2026-41481 vulnerabilities
Vulnerabilities for packages: py3-langchain-text-splitters, open-webui...