Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

open-webui — Vulnerabilities & Security Advisories 40

Browse all 40 CVE security advisories affecting open-webui. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by open-webui:open-webui/open-webuiopen-webui
CVE IDTitleCVSSSeverityPublished
CVE-2026-34225 Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality — open-webuiCWE-918 4.3 Medium2026-04-14
CVE-2026-34222 Open WebUI has Broken Access Control in Tool Valves — open-webuiCWE-285 7.7 High2026-04-01
CVE-2026-29071 Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories — open-webuiCWE-639 3.1 Low2026-03-26
CVE-2026-29070 Open WebUI has unauthorized deletion of knowledge files — open-webuiCWE-862 5.4 Medium2026-03-26
CVE-2026-28788 Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite — open-webuiCWE-639 7.1 High2026-03-26
CVE-2026-28786 Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions` — open-webuiCWE-22 4.3 Medium2026-03-26
CVE-2026-26193 Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages — open-webuiCWE-79 7.3 High2026-02-19
CVE-2026-26192 Open WebUI vulnerable to Stored XSS via iFrame in citations model — open-webuiCWE-79 7.3 High2026-02-19
CVE-2025-65959 Open WebUI vulnerable to Stored DOM XSS via Note 'Download PDF' — open-webuiCWE-79 8.7 High2025-12-04
CVE-2025-65958 Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web — open-webuiCWE-918 8.5 High2025-12-04
CVE-2025-64496 Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events — open-webuiCWE-95 7.3 High2025-11-08
CVE-2025-64495 Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE — open-webuiCWE-79 8.7 High2025-11-08
CVE-2025-46719 Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions — open-webuiCWE-79 8.2AIHighAI2025-05-05
CVE-2025-46571 Open WebUI vulnerable to limited stored XSS vila uploaded html file — open-webuiCWE-79 5.4AIMediumAI2025-05-05
CVE-2024-8017 Cross-site Scripting (XSS) in open-webui/open-webui — open-webui/open-webuiCWE-79 5.4 -2025-03-20
CVE-2024-7053 Session Fixation in open-webui/open-webui — open-webui/open-webuiCWE-79 8.0 -2025-03-20
CVE-2024-8053 Improper Authentication in open-webui/open-webui — open-webui/open-webuiCWE-306 9.1 -2025-03-20
CVE-2024-7806 Remote Code Execution by Non-Admin Users via CSRF in open-webui/open-webui — open-webui/open-webuiCWE-352 8.8 -2025-03-20
CVE-2024-7039 Improper Privilege Management in open-webui/open-webui — open-webui/open-webuiCWE-863 6.5 -2025-03-20
CVE-2024-12534 Denial of Service (DoS) in open-webui/open-webui — open-webui/open-webuiCWE-400 7.5 -2025-03-20
CVE-2024-7034 Remote Code Execution due to Arbitrary File Write in open-webui/open-webui — open-webui/open-webuiCWE-22 9.1 -2025-03-20
CVE-2024-7043 Improper Access Control in open-webui/open-webui — open-webui/open-webuiCWE-862 9.8 -2025-03-20
CVE-2024-7983 Denial of Service in open-webui/open-webui — open-webui/open-webuiCWE-770 7.5 -2025-03-20
CVE-2024-7044 Stored XSS in open-webui/open-webui — open-webui/open-webuiCWE-79 6.1 -2025-03-20
CVE-2024-7045 Improper Access Control in open-webui/open-webui — open-webui/open-webuiCWE-862 5.3 -2025-03-20
CVE-2024-7035 Cross-Site Request Forgery (CSRF) in open-webui/open-webui — open-webui/open-webuiCWE-352 8.1 -2025-03-20
CVE-2024-7036 Denial of Service in open-webui/open-webui — open-webui/open-webuiCWE-400 7.5 -2025-03-20
CVE-2024-7033 Arbitrary File Write in open-webui/open-webui — open-webui/open-webuiCWE-29 9.8 -2025-03-20
CVE-2024-8060 Remote Code Execution in OpenWebUI via Arbitrary File Upload — open-webui/open-webuiCWE-22 8.8 -2025-03-20
CVE-2024-7040 Improper Access Control in open-webui/open-webui — open-webui/open-webuiCWE-639 2.7 -2025-03-20

This page lists every published CVE security advisory associated with open-webui. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.