Lucene search
K

5 matches found

Snyk
Snyk
added 2026/05/14 8:18 p.m.9 views

Cross-site Request Forgery (CSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the getuserprofileimagebyid and getmodelprofileimage handlers in the profile image endpoints. An attacker can supply an external https profile image URL, causing the...

5.1CVSS5.8AI score0.00165EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 8:18 p.m.8 views

Incorrect Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Incorrect Authorization via the pinnotebyid process. An attacker can modify the ispinned status of a shared note without proper authorization by sending a POST request to the relevant endpoint while only havi...

5.1CVSS5.8AI score0.00218EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 8:17 p.m.12 views

Reliance on File Name or Extension of Externally-Supplied File

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Reliance on File Name or Extension of Externally-Supplied File via the audio transcription upload process. An attacker can execute arbitrary JavaScript in the context of another user's session by uploading a...

8.7CVSS6.1AI score0.0018EPSS
Exploits1References4
Nextcloud
Nextcloud
added 2025/12/05 7:55 a.m.11 views

Missing ownership check in Tables app allows moving columns into tables of other users

None...

6.3CVSS5.2AI score0.00214EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2025/04/23 10:21 p.m.5 views

Deserialization of Untrusted Data

Overview llamafactory is an Easy-to-use LLM fine-tuning framework Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the torch.load function. An attacker can execute arbitrary commands by crafting a malicious .bin file that is then deserialized. PoC pyth...

7.8CVSS7.6AI score0.00232EPSS
Exploits1References2
Rows per page
Query Builder