Rucio WebUI has Username Enumeration via Login Error Message

Summary The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Details When submitting invalid credentials to /ui/login, the WebUI responds with different error messages based on th...

Rucio WebUI has a Reflected Cross-site Scripting Vulnerability

Summary A reflected Cross-site Scripting vulnerability was located in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Details The WebUI error message renders ExceptionMessage...

EUVD-2026-8711

Rucio WebUI has a Reflected Cross-site Scripting Vulnerability...

PT-2026-22002

Name of the Vulnerable Software and Affected Versions Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1 Description Rucio is a software framework used to organize, manage, and access large volumes of scientific data. A stored Cross-Site Scripting XSS issue exists in the Custom RSE Attribute of t...

Rucio 安全漏洞

Rucio is an open-source scientific data management tool developed by Rucio team. Versions of Rucio prior to 35.8.3, 38.5.4, and 39.3.1 contained security vulnerabilities. These vulnerabilities stemmed from uncontrolled input in the Identity Name field of the WebUI, which allowed attackers to...

CVE-2026-27025 vulnerabilities

Vulnerabilities for packages: open-webui...

GHSA-996Q-PR4M-CVGQ vulnerabilities

Vulnerabilities for packages: open-webui...

GHSA-2Q4J-M29V-HQ73 vulnerabilities

Vulnerabilities for packages: open-webui...

CVE-2026-27026 vulnerabilities

Vulnerabilities for packages: open-webui...

GHSA-WGVP-VG3V-2XQ3 vulnerabilities

Vulnerabilities for packages: open-webui...

GHSA-9MVC-8737-8J8H vulnerabilities

Vulnerabilities for packages: open-webui...

CVE-2026-27024 vulnerabilities

Vulnerabilities for packages: open-webui...

GHSA-29VQ-49WR-VM6X vulnerabilities

Vulnerabilities for packages: kubeflow-volumes-web-app, mlflow, emissary, open-webui, superset, tensorflow-cpu-jupyter, airflow, kubeflow-pipelines-visualization-server...

CVE-2026-27205 vulnerabilities

Vulnerabilities for packages: kubeflow-volumes-web-app, mlflow, emissary, open-webui, mitmproxy, airflow...

GHSA-68RP-WP8R-4726 vulnerabilities

Vulnerabilities for packages: kubeflow-volumes-web-app, mlflow, emissary, open-webui, mitmproxy, airflow...

CVE-2026-27199 vulnerabilities

Vulnerabilities for packages: kubeflow-volumes-web-app, mlflow, emissary, open-webui, superset, tensorflow-cpu-jupyter, airflow, kubeflow-pipelines-visualization-server...

CVE-2026-26193

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.44, aanually modifying chat history allows setting the embeds property on a response message, the content of which is loaded into an iFrame with a sandbox that has allow-scripts...

CVE-2026-26192

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML...

GHSA-WGVP-VG3V-2XQ3 vulnerabilities

Vulnerabilities for packages: open-webui...

GHSA-9MVC-8737-8J8H vulnerabilities

Vulnerabilities for packages: open-webui...