|
131
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview XSS (CVE-2026-44549).…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-45318
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
132
|
4.6 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-W…
New
|
CWE-20
CWE-352
Improper Input Validation
Origin Validation Error
|
CVE-2026-45317
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
133
|
3.5 |
LOW
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/{id}/pin endpoint performs a write operation (toggling the is…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-45316
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
134
|
8.7 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-suppl…
New
|
CWE-79
CWE-434
CWE-646
Cross-site Scripting
Unrestricted Upload of File with Dangerous Type
Reliance on File Name or Extension of Externally-Supplied File
|
CVE-2026-45315
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
135
|
- |
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profile_image_url values, i…
New
|
CWE-87
Improper Neutralization of Alternate XSS Syntax
|
CVE-2026-45314
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
136
|
7.7 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend …
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-45303
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
137
|
8.1 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authentica…
New
|
CWE-284
Improper Access Control
|
CVE-2026-45301
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
138
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, the profile_image_url field on the user profile update form accepted arbitrary data:…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-45299
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
139
|
7.5 |
HIGH
Network
|
-
|
-
|
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-ad…
New
|
CWE-1284
Improper Validation of Specified Quantity in Input
|
CVE-2026-44826
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
140
|
8.3 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting in…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-44570
|
2026-05-16 07:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
