27 matches found
CVE-2026-0766
Open WebUI loadtoolmodulebyid Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the...
Arbitrary Code Injection
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Arbitrary Code Injection via the loadtoolmodulebyid function in the utils/plugin.py file. An attacker can execute arbitrary code in the context of the service account by supplying a crafted string that is not...
CVE-2026-0766
Open WebUI loadtoolmodulebyid Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the...
CVE-2026-0766
Open WebUI loadtoolmodulebyid Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the...
CVE-2026-0766
Open WebUI contains a vulnerability in load_tool_module_by_id that allows remote code execution via command injection. The flaw comes from insufficient validation of a user-supplied string before it is used to execute Python code, enabling an attacker to run arbitrary code in the service account’...
CVE-2026-0766 Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability
Open WebUI loadtoolmodulebyid Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the...
CVE-2026-0766 Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability
Open WebUI loadtoolmodulebyid Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the...
Open WebUI Code Injection Vulnerability
Open WebUI is an open-source, scalable, feature-rich, and user-friendly self-hosted WebUI. Open WebUI has a code injection vulnerability, which stems from the lack of validation for the string provided by users in the loadtoolmodulebyid function. This vulnerability may lead to code injection and...
(0Day) Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the loadtoolmodulebyid function. The issue results from the lack of proper validation of a...
PT-2026-1996
Name of the Vulnerable Software and Affected Versions Open WebUI affected versions not specified Description A flaw exists in the load tool module by id function of Open WebUI that allows remote attackers to execute arbitrary code. Authentication is required for exploitation. The issue stems from...
CVE-2025-66419
CVE-2025-66419 affects MaxKB: the tool module in versions 2.3.1 and earlier allows an attacker to escape the sandbox and escalate privileges under certain concurrent conditions. Consequences are privilege elevation and potential broader impact within affected deployments. The issue has a fixed re...
MaxKB 竞争条件问题漏洞
MaxKB is a 1Panel-dev open source open source knowledge base question and answer system based on a large language model and RAG. A competitive condition issue vulnerability exists in MaxKB 2.3.1 and earlier versions, which stems from a tool module that allows an attacker to escape the sandbox...
CVE-2025-64703
MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can get sensitive informations by Python code in tool module, although the process run in sandbox. Version 2.3.1 fixes the issue...
CVE-2025-64511
MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can access internal network services such as databases through Python code in the tool module, although the process runs in a sandbox. Version 2.3.1 fixes the issue...
CVE-2025-64703
MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can get sensitive informations by Python code in tool module, although the process run in sandbox. Version 2.3.1 fixes the issue...
CVE-2025-64511
MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can access internal network services such as databases through Python code in the tool module, although the process runs in a sandbox. Version 2.3.1 fixes the issue...
CVE-2025-64703 MaxKB has Information Leak in sandbox
MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can get sensitive informations by Python code in tool module, although the process run in sandbox. Version 2.3.1 fixes the issue...
EUVD-2025-175301
MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can get sensitive informations by Python code in tool module, although the process run in sandbox. Version 2.3.1 fixes the issue...
CVE-2025-64703 MaxKB has Information Leak in sandbox
MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can get sensitive informations by Python code in tool module, although the process run in sandbox. Version 2.3.1 fixes the issue...
CVE-2025-64703 MaxKB has Information Leak in sandbox
MaxKB is an open-source AI assistant for enterprise. In versions prior to 2.3.1, a user can get sensitive informations by Python code in tool module, although the process run in sandbox. Version 2.3.1 fixes the issue...