open-webui vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-44721Highopen-webui: open-webui Vulnerable to Stored XSS via Model DescriptionCVE-2026-34222Highopen-webui: Open WebUI has Broken Access Control in Tool ValvesCVE-2026-29071Lowopen-webui: Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memoriesCVE-2026-29070Mediumopen-webui: Open WebUI has unauthorized deletion of knowledge filesCVE-2026-28788Highopen-webui: Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file…CVE-2026-28786Mediumopen-webui: Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`CVE-2025-65959Highopen-webui: Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF'CVE-2025-65958Highopen-webui: Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in…CVE-2025-63681Lowopen-webui: open-webui is Vulnerable to Incorrect Access ControlCVE-2025-64496Highopen-webui: Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE EventsCVE-2025-64495Highopen-webui: Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled…GHSA-5CCF-884P-4JJQHighopen-webui: Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) VulnerabilityCVE-2024-8060Highopen-webui: Open WebUI allows Remote Code Execution via Arbitrary File Upload to /audio/api/v1/transcriptionsCVE-2024-8053Highopen-webui: Open WebUI lacks authentication for the `api/v1/utils/pdf` endpointCVE-2024-7983Highopen-webui: Open WebUI denial of service through endpoint for converting markdownCVE-2024-7990Highopen-webui: Open WebUI stored cross-site scripting (XSS) vulnerabilityCVE-2024-7035Mediumopen-webui: Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF)CVE-2024-7806Highopen-webui: Open WebUI Cross-Site Request Forgery (CSRF) VulnerabilityCVE-2024-7959Highopen-webui: Open WebUI has SSRF in /openai/modelsGHSA-6WJ5-5PGR-JWQ8Highopen-webui: Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability in api/chat/fileCVE-2024-7045Mediumopen-webui: Open WebUI Has Improper Access Control Leading to Arbitrary Prompt ReadCVE-2024-7053Highopen-webui: Open WebUI Vulnerable to a Session Fixation AttackCVE-2024-7046Mediumopen-webui: Open WebUI Allows Viewing of Admin DetailsCVE-2024-7044Mediumopen-webui: Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File UploadCVE-2024-7033Mediumopen-webui: Open WebUI Allows Arbitrary File Write via the `download_model` Endpoint

Stop the waste.
Protect your environment with Kodem.