Lucene search
K

7035 matches found

PyPA
PyPA
added yesterday4 views

Open WebUI's Improper Authorization in Standard Channels Allows Message Updates with Read Permission

Vulnerability DescriptionIn standard channels i.e., channels whose channel.type is neither group nor dm, the endpointPOST /api/v1/channels/channelid/messages/messageid/update can be accessed with read permission only.When accesscontrol is set to None, the authorization check hasaccess...,...

6.5CVSS6.1AI score0.00277EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI has inconsistent authorization controls within memories API

SummaryAuthorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memories. DetailsUsing a newly created non-admin user with no existing memories, it is possible to view existing...

8.3CVSS6.1AI score0.00294EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute

Summarypraisonaiagents resolves unresolved tool names against module globals and main after it fails to match the declared tool list and the registry. With the default agent configuration, permallow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attack...

8.6CVSS6.2AI score0.00363EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries

SummaryPraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. DetailsThis issue affects...

6.3CVSS6.2AI score0.00216EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute

Summarypraisonaiagents resolves unresolved tool names against module globals and main after it fails to match the declared tool list and the registry. With the default agent configuration, permallow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attack...

8.6CVSS6.2AI score0.00363EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI's Insecure Message Access Breaks Authorization

DescriptionThere's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability exists in the message update and delete endpoints, which implement channel-level authorization but...

7.1CVSS6.2AI score0.00266EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`

SummaryThe safeextractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls...

8.7CVSS6.2AI score0.00433EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution

SummaryPraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. DetailsThe vulnerable server is the shipped...

7.3CVSS7.1AI score0.26799EPSS
Exploits3References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels

Missing Access Check on Channel Members Endpoint for Standard Channels Affected ComponentChannel members listing endpoint:- backend/openwebui/routers/channels.py lines 445-507, getchannelmembersbyid Affected VersionsCurrent main branch and likely all versions with the channels feature...

4.3CVSS6.1AI score0.00221EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search

Unauthorized File and Knowledge Base Content Access via RAG Vector Search Affected ComponentRAG source resolution in chat completion pipeline:- backend/openwebui/retrieval/utils.py lines 963-965, 1063-1068, 1126-1131 in getsourcesfromitems Affected VersionsCurrent main branch commit 6fdd19bf1 and...

6.5CVSS6.1AI score0.00366EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO

Read-Only Users Can Modify Collaborative Documents via Socket.IO Affected ComponentSocket.IO collaborative document editing handler:- backend/openwebui/socket/main.py lines 667-721, ydoc:document:update handler Affected VersionsCurrent main branch and likely all versions with collaborative note...

5.4CVSS6.1AI score0.0022EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order

Vulnerability DetailsCWE-79: Cross-site Scripting XSSThe AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order: Vulnerable Codesrc/lib/components/layout/Overlay/AccountPending.svelt...

4.8CVSS6.2AI score0.0017EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI has stored XSS in Excel file preview

SummaryExcel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheettohtml to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. DetailsThe...

8.7CVSS6.1AI score0.00318EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show

Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show Affected ComponentOllama proxy endpoints missing model access control:- backend/openwebui/routers/ollama.py lines 955-995, generatecompletion- backend/openwebui/routers/ollama.py lines 835-881, embed-...

5.4CVSS6.2AI score0.00238EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI's Model Import Overwrites Any Model Without Ownership Check

Model Import Overwrites Any Model Without Ownership Check Affected ComponentModel import endpoint:- backend/openwebui/routers/models.py lines 254-308, importmodels Affected VersionsCurrent main branch commit 6fdd19bf1 and likely all versions with model import functionality. DescriptionThe POST...

6.5CVSS6.1AI score0.0029EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday2 views

Open WebUI has Improper Authorization Control

CONFIDENTIAL Vulnerability Disclosure Analysis Documentation--- Vulnerability Details| | Field | Value ||---|-------|-------|| 1 | Discoverer | Taylor Pennington of KoreLogic, Inc. || 2 | Date Submitted | June 11, 2024 || 3 | Title | Open WebUI Improper Authorization Control || 5 | Affected Vendo...

7.3CVSS7AI score0.0023EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal

CONFIDENTIAL KL-CAN-2024-002 Vulnerability Details| | Field | Value ||---|-------|-------|| 1 | Discoverer | Jaggar Henry & Sean Segreti of KoreLogic, Inc. || 2 | Date Submitted | 2024.03.12 || 3 | Title | Open WebUI Arbitrary File Upload + Path Traversal || 5 | Affected Vendor | Open WebUI || 6 ...

9.8CVSS7.3AI score0.00336EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants

Channel Access Grants Bypass filterallowedaccessgrants Affected ComponentChannel creation and update endpoints:- backend/openwebui/routers/channels.py lines 291-340, createnewchannel- backend/openwebui/routers/channels.py lines 617-638, updatechannelbyid- backend/openwebui/models/channels.py line...

5.4CVSS6.2AI score0.0019EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels

Deactivated Channel Members Retain Full Access to Group/DM Channels Affected ComponentChannel membership authorization check:- backend/openwebui/models/channels.py lines 663-673, isuserchannelmember- Used at 15 locations in backend/openwebui/routers/channels.py Affected VersionsCurrent main branc...

5.4CVSS6.1AI score0.00178EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite

Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite Affected ComponentRetrieval web/YouTube processing endpoints:- backend/openwebui/routers/retrieval.py lines 1810-1837, processweb- backend/openwebui/routers/retrieval.py the parallel processyoutube endpoint-...

8.1CVSS6.2AI score0.00295EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection

Global Knowledge Base Enumeration via knowledge-bases Meta-Collection Affected ComponentRetrieval collection access validation:- backend/openwebui/routers/retrieval.py lines 2330-2355, validatecollectionaccess- backend/openwebui/routers/retrieval.py query endpoints, e.g. POST /query/doc Affected...

4.3CVSS6.2AI score0.00221EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

banks has Critical Remote Code Execution (RCE) via Jinja2 SSTI

Summarybanks = 2.4.1 uses jinja2.Environment unsandboxed to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt are vulnerable to Server-Side Template Injection SSTI, which can lead to Remote Code Execution RCE on the host system.This is a...

7.5CVSS6.3AI score0.00539EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI's Base Model Routing Bypasses Access Control via Model Chaining

Base Model Routing Bypasses Access Control via Model Chaining Affected ComponentModel chaining via basemodelid:- backend/openwebui/routers/models.py lines 170-214, createnewmodel- backend/openwebui/routers/models.py lines 254-308, importmodels- backend/openwebui/main.py lines 1696-1711, base mode...

7.6CVSS6.2AI score0.00248EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install

SummaryMicrosoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A...

7.1CVSS6.2AI score0.00351EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

open-webui Vulnerable to Stored XSS via Model Description

!IMPORTANT Relationship to CVE-2024-7990 CVE-2024-7990 issued by huntr.dev, March 2025 describes a stored XSS in the same field — the model description — but exploits a different bypass mechanism: a second-order injection through the sanitizeResponseContent function's video-tag placeholder...

8.4CVSS7.2AI score0.00897EPSS
Exploits2References5Affected Software1
PyPA
PyPA
added yesterday4 views

OpenStack Cyborg's Accelerator Request (ARQ) API does not enforce project ownership at any layer

In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...

6.3CVSS6.1AI score0.00206EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts

Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts Affected ComponentFolder creation endpoint and form model:- backend/openwebui/models/folders.py lines 72-77, FolderForm with extra='allow'- backend/openwebui/models/folders.py lines 95-106, insertnewfolder...

5CVSS6.2AI score0.00287EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning

Redis Cache Keys toolservers and terminalservers Missing Instance Prefix Enable Cross-Instance Cache Poisoning Affected ComponentTool server and terminal server Redis cache:- backend/openwebui/utils/tools.py line 841, toolservers SET- backend/openwebui/utils/tools.py line 850, toolservers GET-...

8.7CVSS6.2AI score0.00305EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

utcp-http vulnerable to SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

SummaryThe utcp-http plugin is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registermanual validates the discovery URL against an HTTPS / loopback allowlist, but calltool and calltoolstreaming reuse t...

4.7CVSS6.2AI score0.00168EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday5 views

Open WebUI's responses passthrough endpoint lacks access control authorization

SummaryThe /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control. While the primary chat completion endpoint generatechatcompletion checks model ownership, group membership, and...

7.1CVSS6.2AI score0.00306EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

OpenStack Cyborg uses rule:allow (check_str='@') as the default policy for multiple API endpoints

OpenStack Cyborg before 16.0.1 uses rule:allow checkstr='@' as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complet...

7.4CVSS6.2AI score0.00206EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday3 views

Bunsink has an SSRF bypass in `validate_webhook_url`

SummaryBugsink’s webhook URL validation in versions 2.1.2 and earlier could be partially bypassed because of a mismatch in URL parsing.In some malformed URLs, Python’s standard URL parser urllib and the HTTP client stack requests / urllib3 do not agree on which host is actually being targeted. Th...

4.3CVSS6.2AI score0.00286EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access Affected ComponentSocket.IO session state and role-check callsites:- backend/openwebui/socket/main.py lines 330-351, connect handler — role snapshotted into SESSIONPOOL- backend/openwebui/socket/main.py lines...

8.1CVSS6.1AI score0.00284EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

SummaryThe RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. This vulnerability is present in the RedirectHandlers...

7CVSS6.2AI score0.00505EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context

SummaryBentoML's bentoml build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact.If a victim builds an untrusted repository or other attacker-supplied build context, the attacker can place a...

5.5CVSS6AI score0.00284EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday3 views

Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR)

ImpactAegra deployments running 0.9.0 through 0.9.6 with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated user User A, given another user's threadid User B, can:- Execute graph runs against User B's thread via POST /threads/threadid/runs,...

8.6CVSS6.3AI score0.00285EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added yesterday4 views

PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)

TL;DRCVE-2026-40287's fix gated tools.py auto-import behind PRAISONAIALLOWLOCALTOOLS=true in two files toolresolver.py, api/call.py. A third import sink in praisonai/templates/tooloverride.py was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is...

8.4CVSS6.2AI score0.00246EPSS
Exploits3References6Affected Software1
PyPA
PyPA
added yesterday4 views

Postorius is vulnerable to XSS

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

7.2CVSS6.1AI score0.00237EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday4 views

misp-modules has nsafe remote resource fetching in expansion

An unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The htmltomarkdown module accepted arbitrary HTTPS URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally...

5.8CVSS6.2AI score0.00102EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

PraisonAI has an SSRF bypass

SummaryThe URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. DetailsThe current PraisonAI project uses validateurl to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by...

9.8CVSS6.1AI score0.00378EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler

ImpactThe URLInputHandler class in doclinggraph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no...

5.7CVSS6.1AI score0.00188EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday5 views

pyquorum: Timing side‑channel in mul_mod

ImpactThe mulmod function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand the exponent. An attacker who can measure the time of secret‑sharing operations e.g., via a remote service could progressively recover the value...

6.9CVSS6.2AI score0.00314EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday3 views

JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content

JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with ...

9.6CVSS6.6AI score0.00386EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday6 views

python-multipart has Denial of Service via unbounded multipart part headers

Summarypython-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many...

7.5CVSS6.4AI score0.00549EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Lemur: LDAP Authentication Globally Disables TLS Certificate Verification When LDAP_USE_TLS Is Enabled

Description OverviewWhen LDAP TLS is enabled LDAPUSETLS = True, Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a man-in-the-middle attacker positioned between Lemur and the LDAP server to intercept all...

6.8CVSS6.2AI score0.00094EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed

ImpactA receiver who specifies "--output " where that output directory currently exists as a directory. Patches0.24.0 will contain the patch WorkaroundsEnsure local target directories specified by "--output" do not already exist ResourcesPrivate email and Signal communications from a user.Magic...

3.5CVSS6.1AI score0.00197EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Lemur: LDAP Filter Injection enables post-authentication privilege escalation

Description OverviewLemur's LDAP authentication module lemur/auth/ldap.py constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries...

8.1CVSS6.2AI score0.00179EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

Granian vulnerable to DoS via WSGI response header panic

SummaryGranian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a...

5.9CVSS6.1AI score0.00222EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Granian vulnerable to unauthenticated DoS via WebSocket subprotocol header panic

SummaryGranian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes.The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked.This is a single-request...

7.5CVSS6.2AI score0.00324EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content

JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with ...

9.6CVSS6.6AI score0.00386EPSS
Exploits0References6Affected Software1
Total number of security vulnerabilities7035