Lucene search
K

2994 matches found

Wolfi
Wolfi
added 2026/06/15 8:35 p.m.7 views

GHSA-RGXP-2HWP-JWGG vulnerabilities

Vulnerabilities for packages: open-webui...

5.2AI score
Exploits0
Wolfi
Wolfi
added 2026/06/15 8:35 p.m.8 views

CVE-2026-48156 vulnerabilities

Vulnerabilities for packages: open-webui...

5.1CVSS5.1AI score0.00124EPSS
Exploits0
Wolfi
Wolfi
added 2026/06/15 8:35 p.m.9 views

CVE-2026-48155 vulnerabilities

Vulnerabilities for packages: open-webui...

5.5CVSS5.1AI score0.00127EPSS
Exploits0
Wolfi
Wolfi
added 2026/06/15 8:35 p.m.7 views

CVE-2026-25087 vulnerabilities

Vulnerabilities for packages: open-webui...

7CVSS5.1AI score0.00807EPSS
Exploits0
NVD
NVD
added 2026/06/11 8:16 p.m.17 views

CVE-2026-49973

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...

9.4CVSS0.00543EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/11 7:4 p.m.12 views

EUVD-2026-36306

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...

9.4CVSS5.7AI score0.00543EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/11 7:4 p.m.26 views

CVE-2026-49973 Hermes WebUI < 0.51.358 Unauthenticated Password Takeover via /api/settings

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...

9.4CVSS0.00543EPSS
Exploits0References5
CVE
CVE
added 2026/06/11 7:4 p.m.22 views

CVE-2026-49973

CVE-2026-49973 affects Hermes WebUI prior to version 0.51.358. The issue is an improper access control in the settings API that allows unauthenticated remote attackers to hijack the initial setup by posting to the /api/settings endpoint using the _set_password parameter without origin restriction...

9.4CVSS5.7AI score0.00543EPSS
Exploits0References5
Circl
Circl
added 2026/06/11 6:58 p.m.8 views

CVE-2026-54011

creationtimestamp| type| source ---|---|--- 2026-06-11 18:58:03+00:00| published-proof-of-concept| https://github.com/open-webui/open-webui/security/advisories/GHSA-v8qj-hxv7-mgvv...

8.7CVSS5AI score0.002EPSS
Exploits1References1
Circl
Circl
added 2026/06/11 6:57 p.m.8 views

CVE-2026-54010

creationtimestamp| type| source ---|---|--- 2026-06-11 18:57:21+00:00| published-proof-of-concept| https://github.com/open-webui/open-webui/security/advisories/GHSA-vrhc-3fr6-pc3c...

8.3CVSS5AI score0.00241EPSS
Exploits1References1
Circl
Circl
added 2026/06/11 6:56 p.m.6 views

CVE-2026-54007

creationtimestamp| type| source ---|---|--- 2026-06-11 18:56:24+00:00| published-proof-of-concept| https://github.com/open-webui/open-webui/security/advisories/GHSA-3vv5-8xxp-4f55...

7.1CVSS5AI score0.00162EPSS
Exploits1References1
Veracode
Veracode
added 2026/06/11 5:38 a.m.10 views

Arbitrary File Write

open-webui/open-webui is vulnerable to an arbitrary file write. The vulnerability is due to improper handling of file paths in the downloadmodel endpoint on Windows, which allows an attacker to manipulate file paths and write files to arbitrary locations on the server...

7.2CVSS6.7AI score0.01125EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/10 9:4 p.m.9 views

CVE-2026-49957

Hermes WebUI before version 0.51.296 contains a workspace boundary bypass vulnerability that allows authenticated attackers to circumvent blocked-root path checks by exploiting an early return in the SSH/remote terminal profile workspace resolution logic within remoteterminalworkspacecandidate...

7.7CVSS5.5AI score0.00421EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/10 9:4 p.m.11 views

CVE-2026-49955

Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the...

6.9CVSS5.5AI score0.00586EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/10 9:2 p.m.11 views

CVE-2026-49959

Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in...

8.8CVSS6.7AI score0.00945EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/10 9:2 p.m.11 views

CVE-2026-49956

Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to...

7.1CVSS5.5AI score0.00272EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/09 6:31 p.m.11 views

EUVD-2026-35704

Hermes WebUI before version 0.51.269 contains a workspace boundary bypass vulnerability that allows authenticated attackers to circumvent blocked-root path checks by exploiting an early return in the SSH/remote terminal profile workspace resolution logic within remoteterminalworkspacecandidate...

7.7CVSS5.5AI score0.00421EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/09 6:31 p.m.9 views

EUVD-2026-35706

Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use TOCTOU race condition vulnerability in the gitdiscard function within api/workspacegit.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlin...

5CVSS5.6AI score0.00081EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/09 6:31 p.m.49 views

EUVD-2026-35707

Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in...

8.8CVSS6.7AI score0.00945EPSS
Exploits0References5
NVD
NVD
added 2026/06/09 5:17 p.m.10 views

CVE-2026-49959

Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in...

8.8CVSS0.00945EPSS
Exploits0References4
Rows per page
Query Builder