Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

1902 matches found

CVE
CVEadded 2026/05/15 9:42 p.m.23 views

CVE-2026-45665

Open WebUI contains a Stored XSS in the Banner component due to incorrect sanitization order (DOMPurify before marked.parse). The vulnerability allows a compromised administrator to store a payload in the global banner that is rendered for all users, including the Super Admin, enabling privilege ...

8.1CVSS5.8AI score0.00011EPSS
Exploits1References1Affected Software1
Cvelist
Cvelistadded 2026/05/15 9:41 p.m.33 views

CVE-2026-45667 Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, GET /api/v1/memories/ef is accessible without authentication and executes request.app.state.EMBEDDINGFUNCTION.... This allows any unauthenticated caller to trigger embedding generati...

6.5CVSS0.00018EPSS
Exploits1References1
EUVD
EUVDadded 2026/05/15 9:40 p.m.7 views

EUVD-2026-30640

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.10, when uploading an audio file, the name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with nam...

8.1CVSS5.8AI score0.00021EPSS
Exploits1References1
EUVD
EUVDadded 2026/05/15 9:31 p.m.7 views

EUVD-2026-30662

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profileimageurl values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves...

7.4CVSS6AI score0.0001EPSS
Exploits1References1
ATTACKERKB
ATTACKERKBadded 2026/05/15 9:30 p.m.5 views

CVE-2026-45316

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/id/pin endpoint performs a write operation toggling the ispinned field but only checks for read permission. Users with read-only access to a shared note can...

3.5CVSS5.8AI score0.00011EPSS
Exploits1References2Affected Software1
EUVD
EUVDadded 2026/05/15 9:29 p.m.9 views

EUVD-2026-30658

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery CSRF vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint,...

4.6CVSS5.8AI score0.00006EPSS
Exploits1References1
EUVD
EUVDadded 2026/05/15 9:28 p.m.8 views

EUVD-2026-30659

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview XSS CVE-2026-44549. The same root cause — XLSX.utils.sheettohtml output rendered via @html excelHtml without DOMPurify ...

7.3CVSS5.8AI score0.00012EPSS
Exploits2References1
ATTACKERKB
ATTACKERKBadded 2026/05/15 9:28 p.m.4 views

CVE-2026-45318

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview XSS CVE-2026-44549. The same root cause — XLSX.utils.sheettohtml output rendered via @html excelHtml without DOMPurify ...

7.3CVSS5.8AI score0.00012EPSS
Exploits2References2Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/05/15 9:24 p.m.6 views

CVE-2026-44571

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, in standard channels i.e., channels whose channel.type is neither group nor dm, the endpoint POST /api/v1/channels/channelid/messages/messageid/update can be accessed with read...

6.5CVSS5.8AI score0.00011EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/05/15 9:21 p.m.5 views

CVE-2026-45303

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

7.7CVSS5.9AI score0.00036EPSS
Exploits1References2Affected Software1
Cvelist
Cvelistadded 2026/05/15 9:21 p.m.33 views

CVE-2026-45303 Open WebUI: Stored XSS via the HTML renedering view

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

7.7CVSS0.00036EPSS
Exploits1References1
Vulnrichment
Vulnrichmentadded 2026/05/15 9:21 p.m.7 views

CVE-2026-45303 Open WebUI: Stored XSS via the HTML renedering view

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

7.7CVSS5.9AI score0.00036EPSS
Exploits1References1
EUVD
EUVDadded 2026/05/15 9:21 p.m.9 views

EUVD-2026-30654

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

7.7CVSS5.9AI score0.00036EPSS
Exploits1References1
EUVD
EUVDadded 2026/05/15 9:19 p.m.7 views

EUVD-2026-30653

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. This...

8.1CVSS5.8AI score0.00033EPSS
Exploits1References1
ATTACKERKB
ATTACKERKBadded 2026/05/15 9:19 p.m.5 views

CVE-2026-45301

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. This...

8.1CVSS5.8AI score0.00033EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/05/15 9:17 p.m.4 views

CVE-2026-45345

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This...

6.5CVSS5.8AI score0.0003EPSS
Exploits1References2Affected Software1
NVD
NVDadded 2026/05/15 9:16 p.m.7 views

CVE-2026-45387

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt. However users may...

4.3CVSS0.00026EPSS
Exploits1References1
NVD
NVDadded 2026/05/15 9:16 p.m.13 views

CVE-2026-45397

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every adjacent endpoint on...

5.3CVSS0.01075EPSS
Exploits1References1
EUVD
EUVDadded 2026/05/15 9:15 p.m.6 views

EUVD-2026-30651

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation. This vulnerability is fixed in 0.6.31...

5.1CVSS5.8AI score0.0003EPSS
Exploits1References1
EUVD
EUVDadded 2026/05/15 9:12 p.m.13 views

EUVD-2026-30648

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.11, there is a blind server side request forgery SSRF via the PDF generate function. In the PDF export, user inputs are interpreted as HTML and embedded into the PDF. According to tests...

4.3CVSS5.8AI score0.0003EPSS
Exploits1References1
Rows per page
Query Builder