7035 matches found
Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function
SummaryBlind server side request forgery SSRF via the PDF generate function. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open...
Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation
SummaryAn application-wide Cross-Site Request Forgery CSRFvulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerabilit...
Open WebUI has Broken Access Control for Completions API
SummaryAny user X can continue the conversation of any other user Y, as long as the Chat ID of Y is known. User X does not even need to be an admin to do so. DetailsA user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of another...
Open WebUI's chat completion API allows tool restrictions to be bypassed
SummaryOpen WebUI v0.6.43 contains a vulnerability in its chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. DetailsIn the chatcompletion API, the parameters toolids and toolservers are supplied by the user. These paramete...
Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)
SummaryA Server-Side Request Forgery SSRF vulnerability exists in processpictureurl in backend/openwebui/utils/oauth.py line 1338. The function fetches arbitrary URLs from OAuth picture claims without applying validateurl, allowing an attacker to force the server to make HTTP requests to internal...
Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)
SummaryThe POST /api/v1/notes/id/pin endpoint performs a write operation toggling the ispinned field but only checks for read permission. Users with read-only access to a shared note can pin/unpin it, which is a state-modifying action that should require write permission. All other write endpoint...
wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API
Summary Any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own.The RoutinePermission class grants read access to any authenticated user when a routine has...
pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad
SummaryThe fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to the session directory and download session files of other users via /files/get/, leadin...
dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters
Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summaryrundbtcommand in src/dbtmcp/dbtcli/tools.py constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters without sanitization. Two independent...
pyzipper has an encryption bypass for small files encrypted using it
ImpactA Python operator precedence bug in pyzipper/zipfileaes.py caused the AE-2 format to never be automatically selected during encryption, regardless of file size or compression type. As a result, all encrypted entries are written in AE-1 format unless AE-2 is explicitly forced by the caller...
Open WebUI has stored XSS via the HTML renedering view
SummaryThrough the HTML rendering view, scripts can be injected and executed. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Ope...
ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override
Summaryfides.js is the script that renders Fides's consent banner on customer websites. It lets the embedding page override the banner's description text at runtime via a URL query parameter, a JavaScript global, or a cookie. On sites that have opted into HTML-formatted descriptions, the overridd...
Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file
SummaryA missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. DetailsAll files/ related endpoints lack permission checks. Listing all filesFor example, let's see how file listing is...
wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager
SummaryA gym trainer can escalate their session to any higher-privileged account gym manager, general manager by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identityis set and this flag alone...
OpenStack Ironic: Pre-Validation Checksum Calculation allows Denial of Service (DoS) via Infinite Block Devices
In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL...
Open WebUI has Stored Cross-Site Scripting In Profile Picture
SummaryThe profileimageurl field on the user profile update form accepted arbitrary data: URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters:1. data:text/html;base64,... in a new browser tab raresvis, 2025-04-17 — when a victim...
dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled
Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. SummaryDbtMCP.calltool in src/dbtmcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the call...
dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction
Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. SummaryDefaultUsageTracker.emittoolcalledevent in src/dbtmcp/tracking/tracking.py serializes the complete arguments dictionary of every MCP tool call and transmits it verbatim to...
Snorkel MultitaskClassifier.load uses an unsafe torch.load
The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability CWE-502 in the MultitaskClassifier.load method of the MultitaskClassifier class. The method loads model weight files using torch.load without enabling the security-restrictive weightsonly=True parameter. This...
mem0 server lacks authentication and authorization controls for its memory creation API endpoint
The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...
mem0 server lacks authentication and authorization controls for its memory management API endpoints
The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memoryid are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
DescriptionThe LangSmith SDK's prompt pull methods pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime...
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
DescriptionThe LangSmith SDK's prompt pull methods pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime...
mem0 server lacks authentication and authorization controls for its memory deletion API endpoint
The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
DescriptionThe LangSmith SDK's prompt pull methods pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime...
Snorkel BaseLabeler.load uses an unsafe pickle.load
The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability CWE-502 in the BaseLabeler.load method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load function on user-supplied file paths without any validation or...
Superduper: Remote code execution via unsafe eval in superduper query parsing
The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The parseoppart function in query.py uses the unsafe eval function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although...
pgAdmin 4 has deserialization of untrusted data in its FileBackedSessionManager
Deserialization of untrusted data CWE-502 in pgAdmin 4 FileBackedSessionManager.The session manager performed unsafe deserialization of session-file contents using Python's standard object-serialization module before performing any HMAC integrity check. Any file dropped into the sessions director...
pgAdmin 4 File Manager has symbolic-link path traversal
Symbolic-link path traversal CWE-61, CWE-22 in pgAdmin 4 File Manager.checkaccesspermission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent kernel write follows symlinks. An authenticated user could plant a symbolic link inside their own storage...
Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks
Docling's METS GBS backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions XML Bo...
SQL injection vulnerability in pgAdmin 4 Maintenance Tool
SQL injection vulnerability in pgAdmin 4 Maintenance Tool.Four user-supplied JSON fields bufferusagelimit, vacuumparallel, vacuumindexcleanup, reindextablespace were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the...
MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem
A vulnerability in the createmodelversion handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag...
pgAdmin 4: Improper restriction of excessive authentication attempts
Improper restriction of excessive authentication attempts CWE-307 in pgAdmin 4.pgAdmin enforces MAXLOGINATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.initapp and is reachable on every server, never...
aiwaves-cn agents is vulnerable to resource consumption in the recall_relevant_memories_to_working_memory function
A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recallrelevantmemoriestoworkingmemory of the file core/cat/lookingglass/straycat.py of the component cheshirecatcore. This manipulation causes resource...
Snorkel Trainer.load uses an unsafe torch.load
The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability CWE-502 in the Trainer.load method of the Trainer class. The method loads model checkpoint files using torch.load without enabling the security-restrictive weightsonly=True parameter. This default behavior allows...
PyTorch Lightning load_from_checkpoint has an insecure checkpoint deserialization
PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability CWE-502 in the checkpoint loading mechanism. The LightningModule.loadfromcheckpoint method, which is commonly used to load saved model states, internally calls torch.load without setting the...
local-deep-research is Vulnerable to HTML Injection via Unescaped User Input in PDF Export (`pdf_service.py:_markdown_to_html`)
SummaryPDFService.markdowntohtml constructs an HTML document by interpolating user-controlled values — specifically title sourced from research.title or research.query and metadata key-value pairs — directly into an f-string without any HTML escaping. An authenticated attacker can craft a researc...
flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism
The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains an insecure deserialization vulnerability CWE-502 in its checkpoint loading mechanism. The loadcheckpoint function in checkpoint.py and the checkpoint loading code in eval.py use...
pgAdmin 4: OS command injection vulnerability in Import/Export query export
OS command injection CWE-78 vulnerability in pgAdmin 4 Import/Export query export.User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject " TO PROGRAM 'cmd'" to break out of the \copy ... context and achieve...
pgAdmin 4: Stored cross-site scripting (XSS) vulnerability in Browser Tree and Explain Visualizer modules
Stored cross-site scripting XSS vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules.User-controlled PostgreSQL object names database, schema, table, column, etc. were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute...
Keylime has a hardcoded attestation challenge nonce that allows replay attacks
CVE-2026-6420: Hardcoded attestation challenge nonce allows replay attacks ImpactThe CertificationParameters.generatechallenge method in the push attestation protocol uses a hardcoded challenge nonce instead of generating a cryptographically random value. This removes the nonce-based replay...
LiteLLM has a sandbox escape in custom-code guardrail
ImpactThe POST /guardrails/testcustomcode endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.Reaching the endpoint...
GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content
SummaryGuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs...
GuardDog has a blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration
SummaryThe programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and...
pgAdmin 4 contains local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities
Local file inclusion LFI and server-side request forgery SSRF vulnerabilities in pgAdmin 4 LLM API configuration endpoints.User-supplied apikeyfile and apiurl preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by...
GPT-Pilot contains a command injection vulnerability in the Executor.run() method
GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 2025-09-03 contains a command injection vulnerability CWE-78 in the Executor.run method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper...
Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks
Docling's JATS XML backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend uses etree.parse to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload XML Bomb. When processed by Doclin...
eml_parser has recursion DoS via nested message/rfc822 attachments
SummaryEmlParser.getrawbodytext recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the messag...
LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists
LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load with allowedobjects="all". This does not enable arbitrary Python object deserialization, but it does allow...
Open WebUI Arbitrary File Write, Delete via Path Traversal
CONFIDENTIAL Vulnerability Disclosure Analysis Documentation-----------------------------------------------Vulnerability Details---------------------1. Discoverer: Taylor Pennington of KoreLogic, Inc.2. Date Submitted: June 11, 20243. Title: Open WebUI Arbitrary File Write, Delete via Path...