Lucene search
K

5 matches found

NVD
NVD
added 2026/05/15 10:16 p.m.25 views

CVE-2026-45314

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profileimageurl values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves...

7.4CVSS0.00212EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/15 9:31 p.m.47 views

CVE-2026-45314 Open WebUI: XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profileimageurl values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves...

7.4CVSS0.00212EPSS
Exploits1References1
Snyk
Snyk
added 2026/05/14 8:18 p.m.8 views

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS via the profileimageurl parameter in the webhook creation or update process. An attacker can execute arbitrary JavaScript in the context of the application by supplying a crafted SVG...

7.4CVSS5.8AI score0.00212EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 8:15 p.m.10 views

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the missing MIME-type validation of profileimageurl field. An attacker can execute arbitrary HTML or JavaScript in the context of user's browser by injecting malicious HTML or...

8.7CVSS5.9AI score0.00199EPSS
Exploits0References2
OSV
OSV
added 2026/01/26 2:49 p.m.7 views

BIT-MOODLE-2025-3640 Moodle: idor in web service allows users enrolled in a course to access some details of other users

A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access...

4.3CVSS5.8AI score0.00316EPSS
Exploits0References4
Rows per page
Query Builder