CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

81 matches found

NVD•added 2026/05/15 8:16 p.m.•27 views

CVE-2026-44554

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collectionname and an overwrite query parameter default: True. It performs no authorization check on whether t...

8.1CVSS0.00295EPSS

Exploits1References1

CNNVD•added 2026/05/15 12:0 a.m.•8 views

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.3 contained a security vulnerability. This vulnerability stemmed from the channel webhook creation/update process accepting arbitrary profileimageurl values,...

7.4CVSS6AI score0.00212EPSS

Exploits1References2

Github Security Blog•added 2026/05/14 8:26 p.m.•13 views

Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation

Mass Assignment in Feedback Creation Allows User ID Spoofing and Evaluation Data Manipulation Summary The POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses modelconfig = ConfigDictextra='allow'. Due to an insecure...

5.4CVSS5.9AI score0.00307EPSS

Exploits1References4Affected Software1

vulnersOsv•added 2026/05/14 8:25 p.m.•3 views

hubzoid (>=0.2.2 <=0.4.5), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45351 via open-webui (>=0.6.0 <=0.8.8)

open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45351 Source advisory: OSV:GHSA-JH9G-8JQW-M2QX...

6.5CVSS5.4AI score0.00281EPSS

Exploits1

vulnersOsv•added 2026/05/14 8:19 p.m.•5 views

hubzoid (>=0.2.2 <=0.4.5), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45338 via open-webui (>=0.6.0 <=0.8.8)

open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45338 Source advisory: OSV:GHSA-24C9-2M8Q-QHMH...

7.7CVSS5.4AI score0.00381EPSS

Exploits1

Positive Technologies•added 2026/05/14 12:0 a.m.•14 views

PT-2026-41181

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.9 Description When a non-administrative user logs into the application, a web request to the '/api/models?' endpoint is initiated. The response from this request reveals the system prompts of available models...

6.5CVSS5.8AI score0.00281EPSS

Exploits1References6

vulnersOsv•added 2026/05/08 7:45 p.m.•6 views

hubzoid (>=0.2.2 <=0.4.5), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-44556 via open-webui (>=0.6.0 <=0.8.8)

open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-44556 Source advisory: OSV:GHSA-HP5M-24VP-VQ2Q...

7.1CVSS5.4AI score0.00306EPSS

Exploits0

vulnersOsv•added 2026/05/08 7:43 p.m.•4 views

hubzoid (>=0.2.2 <=0.4.5), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-44553 via open-webui (>=0.6.0 <=0.8.8)

open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-44553 Source advisory: OSV:GHSA-45M8-CPM2-3V65...

8.1CVSS5.4AI score0.00284EPSS

Exploits1

vulnersOsv•added 2026/05/08 7:38 p.m.•8 views

hubzoid (>=0.2.2 <=0.4.5), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-44550 via open-webui (>=0.6.0 <=0.8.8)

open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-44550 Source advisory: SNYK:PYTHON-OPENWEBUI-16599158...

5CVSS5.4AI score0.00287EPSS

Exploits1

vulnersOsv•added 2026/03/27 3:35 p.m.•2 views

openwebui-token-tracking (=0.1.7) potentially affected by CVE-2026-29071 via open-webui (=0.6.0)

open-webui PYPI version =0.6.0 is affected by a known vulnerability. The following packages have a transitive dependency on open-webui and may be impacted: - openwebui-token-tracking =0.1.7 Source cves: CVE-2026-29071 Source advisory: OSV:GHSA-W9F8-GXF9-RHVW...

4.3CVSS5.4AI score0.00253EPSS

Exploits1

ATTACKERKB•added 2026/03/09 8:32 p.m.•7 views

CVE-2025-15603

REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor explains: "The 't0p-s3cr3t' default was dead code on every supported startup path: start.sh, startwindows.ba...

5AI score0.00289EPSS

Exploits0References4

OSV•added 2025/12/04 7:55 p.m.•6 views

CVE-2025-65958 Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery SSRF vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to...

8.5CVSS6.8AI score0.03965EPSS

Exploits1References4

Snyk•added 2025/12/04 3:45 p.m.•4 views

Access Control Bypass

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Access Control Bypass via the /api/tasks/stop/taskid endpoint. An attacker can enumerate tasks running by other users and use taskid to terminate any tasks running on the server. Remediation Upgrade open-webu...

5.3CVSS5.9AI score0.00259EPSS

Exploits1References2