pypi
4,707 tracked vulnerabilities.
CVE-2026-8754
MEDIUM
AstrBotDevs AstrBot File Upload chat.py post_file path traversal
May 17, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-45667
MEDIUM
Open WebUI Memories Endpoint - Unauthenticated Embedding Generation DoS
May 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-45666
MEDIUM
Open WebUI: Indirect Object Reference (IDOR) in user notes
May 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-45365
MEDIUM
Open WebUI: Authenticated users can bypass model access control via exposed query parameter
May 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45351
MEDIUM
Open WebUI: Exposure of System Prompt to Regular User [Non-Admin]
May 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-45350
HIGH
Open WebUI: Chat completion API allows tool restrictions to be bypassed
May 15, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-45347
MEDIUM
Open WebUI: Blind server side request forgery (SSRF) via the PDF generate function
May 15, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-45345
MEDIUM
Open WebUI: Missing authorization check at the model update function - models from other users can be updated
May 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-45338
HIGH
Open WebUI: SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)
May 15, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-45318
MEDIUM
Open WebUI: Stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)
May 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45317
MEDIUM
Open WebUI: Cross-Site Request Forgery (CSRF) via Image URL Manipulation
May 15, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-45316
LOW
Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)
May 15, 2026
CVSS 3.5
EPSS 0.00
CVE-2026-45315
HIGH
Open WebUI: Stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
May 15, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-45314
MEDIUM
Open WebUI: XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image
May 15, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-45303
HIGH
Open WebUI: Stored XSS via the HTML renedering view
May 15, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-45301
HIGH
Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45299
MEDIUM
Open WebUI: Stored Cross-Site Scripting In Profile Picture
May 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44571
MEDIUM
Open WebUI: Improper Authorization in Standard Channels Allows Message Updates with Read Permission
May 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-44570
HIGH
Open WebUI: Inconsistent authorization controls within memories API
May 15, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-44569
HIGH
Open WebUI: Insecure Message Access Breaks Authorization
May 15, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-44567
HIGH
Open WebUI: Open WebUI Improper Authorization Control
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-44566
HIGH
Open WebUI: Arbitrary File Upload and Path Traversal
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-44565
HIGH
Open WebUI: Open WebUI Arbitrary File Write, Delete via Path Traversal
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44549
HIGH
Open WebUI: Stored XSS in excel file preview
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-45672
HIGH
Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed
May 15, 2026
CVSS 8.8
EPSS 0.00
Products
tensorflow 427
tensorflow-gpu 421
tensorflow-cpu 417
Django 147
apache-airflow 111
Plone 96
open-webui 86
mlflow 70
apache-superset 67
salt 67
ansible 66
pillow 52
nova 48
gradio 46
rdiffweb 43
matrix-synapse 42
pyload-ng 41
vyper 39
vllm 38
keystone 36
moin 35
aiohttp 33
opencv-contrib-python 30
opencv-python 30
PraisonAI 27
pgadmin4 26
pypdf 24
glance 22
langflow 22
ethyca-fides 21
Quick Filters