pypi
4,979 tracked vulnerabilities.
CVE-2026-45314
MEDIUM
Open WebUI: XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image
May 15, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-45303
HIGH
Open WebUI: Stored XSS via the HTML renedering view
May 15, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-45301
HIGH
Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45299
MEDIUM
Open WebUI: Stored Cross-Site Scripting In Profile Picture
May 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44571
MEDIUM
Open WebUI: Improper Authorization in Standard Channels Allows Message Updates with Read Permission
May 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-44570
HIGH
Open WebUI: Inconsistent authorization controls within memories API
May 15, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-44569
HIGH
Open WebUI: Insecure Message Access Breaks Authorization
May 15, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-44567
HIGH
Open WebUI: Open WebUI Improper Authorization Control
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-44566
HIGH
Open WebUI: Arbitrary File Upload and Path Traversal
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-44565
HIGH
Open WebUI: Open WebUI Arbitrary File Write, Delete via Path Traversal
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44549
HIGH
Open WebUI: Stored XSS in excel file preview
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-45672
HIGH
Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed
May 15, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-45402
HIGH
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45401
HIGH
Open WebUI: SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints
May 15, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-45400
HIGH
Open WebUI: Server-Side Request Forgery (SSRF) bypass in `validate_url`
May 15, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-45398
HIGH
Open WebUI: IDOR - Retrieval API Bypasses Knowledge Base Access Controls
May 15, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-45397
MEDIUM
NUCLEI
Open WebUI: Unauthenticated RAG Configuration Disclosure
May 15, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-45396
MEDIUM
Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation
May 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45387
MEDIUM
Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)
May 15, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-45386
MEDIUM
Open WebUI: An IDOR vulnerability exists in the pin_channel_message API endpoint
May 15, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-45385
MEDIUM
Open WebUI: An IDOR vulnerability exists in the update_message_by_id API endpoint
May 15, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44721
HIGH
Open WebUI: Stored XSS via Model Description
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-45675
HIGH
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45671
HIGH
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
May 15, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-45399
HIGH
Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption
May 15, 2026
CVSS 7.1
EPSS 0.00
Products
tensorflow 427
tensorflow-gpu 421
tensorflow-cpu 417
Django 147
apache-airflow 128
Plone 96
open-webui 91
mlflow 76
apache-superset 67
salt 67
ansible 66
pillow 52
nova 49
gradio 47
matrix-synapse 44
pyload-ng 44
rdiffweb 43
keystone 40
vllm 40
vyper 39
moin 35
aiohttp 34
opencv-contrib-python 30
opencv-python 30
pypdf 28
PraisonAI 27
pgadmin4 26
langflow 24
openbabel 24
picklescan 23
Quick Filters