openwebui

Top products

The 15 most recently published vulnerabilities affecting openwebui.

• CVE-2026-45338Open WebUI: SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)7.7May 15, 2026
• CVE-2026-44549Open WebUI: Stored XSS in excel file preview7.3May 15, 2026
• CVE-2026-45299Open WebUI: Stored Cross-Site Scripting In Profile Picture5.4May 15, 2026
• CVE-2026-45665Open WebUI: Stored XSS in Banner Component via Improper Sanitization Order8.1May 15, 2026
• CVE-2026-45667Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)6.5May 15, 2026
• CVE-2026-44565Open WebUI: Open WebUI Arbitrary File Write, Delete via Path Traversal8.1May 15, 2026
• CVE-2026-45314Open WebUI: XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image6.1May 15, 2026
• CVE-2026-45316Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)3.5May 15, 2026
• CVE-2026-45317Open WebUI: Cross-Site Request Forgery (CSRF) via Image URL Manipulation4.6May 15, 2026
• CVE-2026-45318Open WebUI: Stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)5.4May 15, 2026
• CVE-2026-45315Open WebUI: Stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions8.7May 15, 2026
• CVE-2026-44571Open WebUI: Improper Authorization in Standard Channels Allows Message Updates with Read Permission6.5May 15, 2026
• CVE-2026-45350Open WebUI: Chat completion API allows tool restrictions to be bypassed7.1May 15, 2026
• CVE-2026-45303Open WebUI: Stored XSS via the HTML renedering view7.7May 15, 2026
• CVE-2026-45301Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file8.1May 15, 2026