Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

open-webui — Vulnerabilities & Security Advisories 16

All 16 CVE vulnerabilities found in open-webui, with AI-generated Chinese analysis, references, and POCs.

Vendor: open-webui

CVE IDTitleCVSSSeverityPublished
CVE-2026-34225 Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality CWE-918 4.3 Medium2026-04-14
CVE-2026-34222 Open WebUI has Broken Access Control in Tool Valves CWE-285 7.7 High2026-04-01
CVE-2026-29071 Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories CWE-639 3.1 Low2026-03-26
CVE-2026-29070 Open WebUI has unauthorized deletion of knowledge files CWE-862 5.4 Medium2026-03-26
CVE-2026-28788 Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite CWE-639 7.1 High2026-03-26
CVE-2026-28786 Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions` CWE-22 4.3 Medium2026-03-26
CVE-2025-15603 open-webui JWT Key start_windows.bat random values CWE-330 3.7 Low2026-03-09
CVE-2026-26193 Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages CWE-79 7.3 High2026-02-19
CVE-2026-26192 Open WebUI vulnerable to Stored XSS via iFrame in citations model CWE-79 7.3 High2026-02-19
CVE-2025-65959 Open WebUI vulnerable to Stored DOM XSS via Note 'Download PDF' CWE-79 8.7 High2025-12-04
CVE-2025-65958 Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web CWE-918 8.5 High2025-12-04
CVE-2025-64496 Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events CWE-95 7.3 High2025-11-08
CVE-2025-64495 Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE CWE-79 8.7 High2025-11-08
CVE-2025-46719 Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions CWE-79 8.2AIHighAI2025-05-05
CVE-2025-46571 Open WebUI vulnerable to limited stored XSS vila uploaded html file CWE-79 5.4AIMediumAI2025-05-05
CVE-2024-30256 Open WebUI vulnerable to server-side request forgery in utils.py CWE-918 6.4 Medium2024-04-16

All 16 known CVE vulnerabilities affecting open-webui with full Chinese analysis, references, and POCs where available.