CVE-2026-45365

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypassfilter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated...

EUVD-2026-30649

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypassfilter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated...

CVE-2026-45365

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypassfilter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated...

PT-2026-41183

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.11 Description An internal-only bypass filter parameter is exposed on the '/openai/chat/completions' and '/ollama/api/chat' HTTP endpoints due to FastAPI query string binding. This allows any authenticated user...

@saltcorn/admin-models (>=1.5.0 <=1.5.0-rc.2), @saltcorn/base-plugin (>=1.5.0 <=1.5.0-rc.2) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.5.0-beta.0 <=1.5.0)

@saltcorn/data NPM version =1.5.0-beta.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0-rc.2 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-16318351...

@saltcorn/admin-models (>=1.6.0-alpha.0 <=1.6.0-alpha.17), @saltcorn/base-plugin (>=1.6.0-alpha.0 <=1.6.0-alpha.17) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.6.0-alpha.0 <=1.6.0-alpha.9)

@saltcorn/data NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.17 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-16318351...

@saltcorn/admin-models (>=1.6.0-alpha.0 <=1.6.0-beta.3), @saltcorn/base-plugin (>=1.6.0-alpha.0 <=1.6.0-beta.3) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.6.0-alpha.0 <=1.6.0-beta.3)

@saltcorn/data NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-beta.3 Source cves: unknown CVE Source advisory: OSV:GHSA-59XV-588H-2VMM...

@saltcorn/cli (>=1.1.1 <=1.4.1-beta.3), @saltcorn/mobile-builder (>=1.1.1 <=1.4.1-beta.3) +1 more potentially affected by unknown CVE via @saltcorn/admin-models (>=1.1.1 <=1.4.1)

@saltcorn/admin-models NPM version =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.4.1-beta.3 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNADMINMODELS-15126138...

@saltcorn/cli (>=1.5.0-beta.0 <=1.5.0-beta.18), @saltcorn/mobile-builder (>=1.5.0-beta.0 <=1.5.0-beta.18) +1 more potentially affected by unknown CVE via @saltcorn/admin-models (>=1.5.0-beta.0 <=1.5.0-beta.18)

@saltcorn/admin-models NPM version =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.18 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNADMINMODELS-15126138...

Cross-site Scripting (XSS)

Overview @saltcorn/admin-models is a models only required by the admin interface for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to Cross-site Scripting XSS and code execution, via the name parameter on the /admin/edit-codepage endpoint and improper...

Cross site scripting

Cross site scripting XSS in the photo-gallery 10Web Photo Gallery plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php...