pypi

4,979 tracked vulnerabilities.

CVE-2026-45314 MEDIUM
Open WebUI: XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image
May 15, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-45303 HIGH
Open WebUI: Stored XSS via the HTML renedering view
May 15, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-45301 HIGH
Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45299 MEDIUM
Open WebUI: Stored Cross-Site Scripting In Profile Picture
May 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44571 MEDIUM
Open WebUI: Improper Authorization in Standard Channels Allows Message Updates with Read Permission
May 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-44570 HIGH
Open WebUI: Inconsistent authorization controls within memories API
May 15, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-44569 HIGH
Open WebUI: Insecure Message Access Breaks Authorization
May 15, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-44567 HIGH
Open WebUI: Open WebUI Improper Authorization Control
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-44566 HIGH
Open WebUI: Arbitrary File Upload and Path Traversal
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-44565 HIGH
Open WebUI: Open WebUI Arbitrary File Write, Delete via Path Traversal
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44549 HIGH
Open WebUI: Stored XSS in excel file preview
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-45672 HIGH
Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed
May 15, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-45402 HIGH
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45401 HIGH
Open WebUI: SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints
May 15, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-45400 HIGH
Open WebUI: Server-Side Request Forgery (SSRF) bypass in `validate_url`
May 15, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-45398 HIGH
Open WebUI: IDOR - Retrieval API Bypasses Knowledge Base Access Controls
May 15, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-45397 MEDIUM NUCLEI
Open WebUI: Unauthenticated RAG Configuration Disclosure
May 15, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-45396 MEDIUM
Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation
May 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45387 MEDIUM
Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)
May 15, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-45386 MEDIUM
Open WebUI: An IDOR vulnerability exists in the pin_channel_message API endpoint
May 15, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-45385 MEDIUM
Open WebUI: An IDOR vulnerability exists in the update_message_by_id API endpoint
May 15, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44721 HIGH
Open WebUI: Stored XSS via Model Description
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-45675 HIGH
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45671 HIGH
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
May 15, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-45399 HIGH
Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption
May 15, 2026
CVSS 7.1
EPSS 0.00