|
131
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, in standard channels (i.e., channels whose channel.type is neither group nor dm), th…
New
|
CWE-862
Missing Authorization
|
CVE-2026-44571
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
132
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, the profile_image_url field on the user profile update form accepted arbitrary data:…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-45299
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
133
|
8.1 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API endpoints allows any authentica…
New
|
CWE-284
Improper Access Control
|
CVE-2026-45301
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
134
|
7.7 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend …
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-45303
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
135
|
- |
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profile_image_url values, i…
New
|
CWE-87
Improper Neutralization of Alternate XSS Syntax
|
CVE-2026-45314
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
136
|
3.5 |
LOW
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/{id}/pin endpoint performs a write operation (toggling the is…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-45316
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
137
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview XSS (CVE-2026-44549).…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-45318
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
138
|
8.7 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-suppl…
New
|
CWE-79
CWE-434
CWE-646
Cross-site Scripting
Unrestricted Upload of File with Dangerous Type
Reliance on File Name or Extension of Externally-Supplied File
|
CVE-2026-45315
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
139
|
4.6 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-W…
New
|
CWE-20
CWE-352
Improper Input Validation
Origin Validation Error
|
CVE-2026-45317
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
140
|
7.7 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a Server-Side Request Forgery (SSRF) vulnerability exists in _process_picture_url() …
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45338
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
