1380 matches found
PT-2025-12199
Name of the Vulnerable Software and Affected Versions open-webui version 0.3.8 Description An endpoint for converting Markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of...
Open WebUI 0.1.105 File Upload / Path Traversal
KL-001-2024-006: Open WebUI Arbitrary File Upload + Path Traversal Title: Open WebUI Arbitrary File Upload + Path Traversal Advisory ID: KL-001-2024-006 Publication Date: 2024.08.D06 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-006.txt 1. Vulnerability Details Affected...
Open WebUI 0.1.105 File Upload / Path Traversal Vulnerabilities
Title: Open WebUI Arbitrary File Upload + Path Traversal Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-006.txt 1. Vulnerability Details Affected Vendor: Open WebUI Affected Product: Open WebUI Affected Version: 0.1.105 Platform: Debian 12 CWE Classification: CWE-22:...
Open WebUI 0.1.105 Persistent Cross Site Scripting
KL-001-2024-005: Open WebUI Stored Cross-Site Scripting Title: Open WebUI Stored Cross-Site Scripting Advisory ID: KL-001-2024-005 Publication Date: 2024.08.06 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-005.txt 1. Vulnerability Details Affected Vendor: Open WebUI...
Open WebUI 0.1.105 Persistent Cross Site Scripting Vulnerability
Title: Open WebUI Stored Cross-Site Scripting Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-005.txt 1. Vulnerability Details Affected Vendor: Open WebUI Affected Product: Open WebUI Affected Version: 0.1.105 Platform: Debian 12 CWE Classification: CWE-79: Improper...
CVE-2024-6707 Open WebUI Arbitrary File Upload + Path Traversal
Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability...
CVE-2024-6706 Open WebUI Stored Cross-Site Scripting
Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page...
CVE-2024-6706 Open WebUI Stored Cross-Site Scripting
Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page...
Open WebUI Arbitrary File Upload + Path Traversal
Vulnerability Details Affected Vendor: Open WebUI Affected Product: Open WebUI Affected Version: 0.1.105 Platform: Debian 12 CWE Classification: CWE-22: Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal', CWE-434: Unrestricted Upload of File with Dangerous Type CVE ID:...
Open WebUI 路径遍历漏洞
Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. A security vulnerability exists in Open WebUI version 0.1.105, which stems from vulnerability to a path traversal attack, where an attacker can upload a controlled file to an arbitrary location...
Open WebUI Stored Cross-Site Scripting
Vulnerability Details Affected Vendor: Open WebUI Affected Product: Open WebUI Affected Version: 0.1.105 Platform: Debian 12 CWE Classification: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVE ID: CVE-2024-6706 2. Vulnerability Description Attackers...
PT-2026-39283
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.1.124 Description An improper authorization control exists where the API fails to validate if a user possesses an authorized role of user or admin. When the platform is configured to allow new sign-ups, new...
The vulnerability of the download_file_stream() function (backend/apps/web/routers/utils.py) in the AI-based web interface Open WebUI (previously Ollama WebUI) allows a attacker to perform an SSRF attack.
The vulnerability of the downloadfilestream function located in backend/apps/web/routers/utils.py of the Open WebUI formerly Ollama WebUI AI-based web interface is related to the manipulation of requests on the server-side during the processing of the url parameter. Exploiting this vulnerability...
CVE-2024-30256
Open WebUI is a user-friendly WebUI for LLMs. Open-webui is vulnerable to authenticated blind server-side request forgery. This vulnerability is fixed in 0.1.117...
CVE-2024-30256
CVE-2024-30256 affects Open WebUI prior to version 0.1.117. The vulnerability is an authenticated blind server-side request forgery (SSRF) in the backend, specifically in the function download_file_stream() inside Open WebUI’s backend/apps/web/routers/utils.py, exploitable via the url parameter. ...
CVE-2024-30256 Open WebUI vulnerable to server-side request forgery in utils.py
Open WebUI is a user-friendly WebUI for LLMs. Open-webui is vulnerable to authenticated blind server-side request forgery. This vulnerability is fixed in 0.1.117...
CVE-2024-30256 Open WebUI vulnerable to server-side request forgery in utils.py
Open WebUI is a user-friendly WebUI for LLMs. Open-webui is vulnerable to authenticated blind server-side request forgery. This vulnerability is fixed in 0.1.117...
CVE-2024-30256 Open WebUI vulnerable to server-side request forgery in utils.py
Open WebUI is a user-friendly WebUI for LLMs. Open-webui is vulnerable to authenticated blind server-side request forgery. This vulnerability is fixed in 0.1.117...
Open WebUI 安全漏洞
Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI Open Source. A security vulnerability exists in Open WebUI versions prior to 0.1.117, which stems from vulnerability to authenticated blind server-side request forgery attacks...
PT-2024-3607 · Unknown · Open-Webui
Name of the Vulnerable Software and Affected Versions: Open WebUI versions prior to 0.1.117 Description: The issue is related to an authenticated blind server-side request forgery vulnerability. It involves the download file stream function in the backend/apps/web/routers/utils.py file of the Ope...