CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2026/05/15 10:16 p.m.•8 views

CVE-2026-45314

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profileimageurl values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves...

7.4CVSS0.0001EPSS

NVD•added 2026/05/15 10:16 p.m.•9 views

CVE-2026-45315

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHEDIR/audio/transcriptions/.. The /cache/path route serve...

8.7CVSS0.00006EPSS

EUVD•added 2026/05/15 9:31 p.m.•5 views

EUVD-2026-30662

7.4CVSS6AI score0.0001EPSS

ATTACKERKB•added 2026/05/15 9:31 p.m.•5 views

CVE-2026-45314

7.4CVSS6AI score0.0001EPSS

Exploits1References2Affected Software1

Vulnrichment•added 2026/05/15 9:26 p.m.•7 views

CVE-2026-45315 Open WebUI: Stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions

8.7CVSS5.8AI score0.00006EPSS

ATTACKERKB•added 2026/05/15 9:21 p.m.•5 views

CVE-2026-45303

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

7.7CVSS5.9AI score0.00036EPSS

Exploits1References2Affected Software1

CVE•added 2026/05/15 6:36 p.m.•9 views

CVE-2026-46361

CVE-2026-46361 affects phpMyFAQ prior to 4.1.2. A stored XSS in the search.twig template renders result.question and result.answerPreview with the raw filter, bypassing autoescape. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass html_entity_decode(strip_ta...

8.2CVSS5.8AI score0.00011EPSS

Exploits0References2

NVD•added 2026/05/15 5:16 p.m.•7 views

CVE-2026-44714

The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj...

7.5CVSS0.00011EPSS

EUVD•added 2026/05/15 4:51 p.m.•4 views

EUVD-2026-30571

7.5CVSS5.9AI score0.00011EPSS

NVD•added 2026/05/15 6:16 a.m.•5 views

CVE-2026-24662

Cross-site scripting vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. If a file containing malicious contents is uploaded, an arbitrary script may be executed on a user's web browser when viewing the administration page showing the informati...

5.4CVSS0.00032EPSS

CVE•added 2026/05/15 5:38 a.m.•11 views

CVE-2026-24662

The CVE-2026-24662 entry describes a cross-site scripting vulnerability in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1, affecting rev2203.0 and earlier. When a file containing malicious contents is uploaded, an arbitrary script may execute in a user’s browser when an administrator v...

5.4CVSS5.8AI score0.00032EPSS

Snyk•added 2026/05/14 8:21 p.m.•3 views

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS through the @html svg rendering path in the SVGPanZoom.svelte common component. An attacker can execute an arbitrary script in the browser by supplying a crafted SVG payload that is...

5.4CVSS5.8AI score0.0003EPSS

Exploits1References2

Snyk•added 2026/05/14 6:27 p.m.•5 views

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An attacker can execute arbitrary JavaScript by supplying a javascript: URL in an image widget's link URL field and having it rendered on the page. This affects...

5.4CVSS6.1AI score

OSV•added 2026/05/14 4:53 p.m.•0 views

MAL-2026-3741 Malicious code in pyexecutorsme (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 326ad16be9056f6cbd75fa4f9a47dec8c3613b56aa53d3e5d439efeef7c6fcad Package attempts to download and execute a script acting as remote access trojan. --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

6AI score

Positive Technologies•added 2026/05/14 12:0 a.m.•7 views

PT-2026-41168

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.3 Description An issue exists where the audio transcription upload endpoint uses the file extension from a user-supplied filename to save files. The '/cache/path' route serves these files via FileResponse, whic...

8.7CVSS5.9AI score0.00006EPSS

Exploits1References7

Positive Technologies•added 2026/05/14 12:0 a.m.•8 views

PT-2026-41164

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.5 Description Scripts can be injected and executed through the HTML rendering view. The frontend includes a function to visualize HTML content of a chat by embedding it in an iFrame. However, the use of the...

7.7CVSS5.9AI score0.00036EPSS

Exploits1References6

EUVD•added 2026/05/13 6:30 p.m.•5 views

EUVD-2025-209821

Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator...

9.1CVSS5.9AI score0.0009EPSS

Exploits0References2

OSV•added 2026/05/13 3:25 p.m.•1 views

MAL-2026-3662 Malicious code in py-requests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 2bd2bd26870d2cf5df73c69bca7ed9088604eccf44727e4c59f0301cc8ccd35a Package installs persistent malware acting as Rat, with the focus of stealing data and modifying copied cryptowallet addresses. --- Category: MALICIOUS - The...

5.8AI score