Where
-Infinity
0

Trending

Last week
Last month
Last year

pip/open-webuiOpen WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

Risk 75
Severity
8.1
First published (updated )
CVE-2026-45675

pip/open-webuiOpen WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed

Risk 79
Severity
8.8
First published (updated )
CVE-2026-45672

pip/open-webuiOpen WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion

Risk 71
Severity
8
First published (updated )
CVE-2026-45671

pip/open-webuiOpen WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)

Risk 40
Severity
6.5
First published (updated )
CVE-2026-45667

pip/open-webuiOpen WebUI: Indirect Object Reference (IDOR) in user notes

Risk 38
Severity
6.5
First published (updated )
CVE-2026-45666
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

npm/open-webuiOpen WebUI: Stored XSS in Banner Component via Improper Sanitization Order

Risk 54
Severity
8.1
First published (updated )
CVE-2026-45665

pip/open-webuiOpen WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Risk 60
Severity
8.1
First published (updated )
CVE-2026-45402

pip/open-webuiOpen WebUI: SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints

Risk 55
Severity
8.5
First published (updated )
CVE-2026-45401

pip/open-webuiOpen WebUI: Server-Side Request Forgery (SSRF) bypass in `validate_url`

Risk 55
Severity
8.5
First published (updated )
CVE-2026-45400

pip/open-webuiOpen WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption

Risk 48
Severity
7.1
First published (updated )
CVE-2026-45399
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

pip/open-webuiOpen WebUI: IDOR - Retrieval API Bypasses Knowledge Base Access Controls

Risk 70
Severity
7.5
First published (updated )
CVE-2026-45398

pip/open-webuiOpen WebUI: Unauthenticated RAG Configuration Disclosure

Risk 27
Severity
5.3
First published (updated )
CVE-2026-45397

pip/open-webuiOpen WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation

Risk 34
Severity
5.4
First published (updated )
CVE-2026-45396

npm/open-webuiOpen WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution

Risk 66
Severity
7.2
First published (updated )
CVE-2026-45395

pip/open-webuiOpen WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)

Risk 22
Severity
4.3
First published (updated )
CVE-2026-45387
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

pip/open-webuiOpen WebUI: An IDOR vulnerability exists in the pin_channel_message API endpoint

Risk 22
Severity
4.3
First published (updated )
CVE-2026-45386

pip/open-webuiOpen WebUI: An IDOR vulnerability exists in the update_message_by_id API endpoint

Risk 22
Severity
4.3
First published (updated )
CVE-2026-45385

pip/open-webuiOpen WebUI: Authenticated users can bypass model access control via exposed query parameter

Risk 34
Severity
5.4
First published (updated )
CVE-2026-45365

pip/open-webuiOpen WebUI: Exposure of System Prompt to Regular User [Non-Admin]

Risk 38
Severity
6.5
First published (updated )
CVE-2026-45351

pip/open-webuiOpen WebUI: Chat completion API allows tool restrictions to be bypassed

Risk 48
Severity
7.1
First published (updated )
CVE-2026-45350
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

pip/open-webuiOpen WebUI: Broken Access Control for Completions API

Risk 48
Severity
7.1
First published (updated )
CVE-2026-45349

pip/open-webuiOpen WebUI: Blind server side request forgery (SSRF) via the PDF generate function

Risk 34
Severity
5.4
First published (updated )
CVE-2026-45347

npm/open-webuiOpen WebUI: Stored Cross-Site Scripting in SVG Renderer

Risk 34
Severity
5.1
First published (updated )
CVE-2026-45346

pip/open-webuiOpen WebUI: Missing authorization check at the model update function - models from other users can be updated

Risk 38
Severity
6.5
First published (updated )
CVE-2026-45345

pip/open-webuOpen WebUI: API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints

Risk 49
Severity
6.5
First published (updated )
CVE-2026-45339
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

pip/open-webuiOpen WebUI: SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)

Risk 44
Severity
7.7
First published (updated )
CVE-2026-45338

pip/open-webuiOpen WebUI: Full SSRF Vulnerability in the RAG Web Search Feature

Risk 55
Severity
8.5
First published (updated )
CVE-2026-45331

pip/open-webuiOpen WebUI: Cross-Site Request Forgery (CSRF) via Image URL Manipulation

Risk 30
Severity
4.6
First published (updated )
CVE-2026-45317

pip/open-webuiOpen WebUI: Stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)

Risk 34
Severity
5.4
First published (updated )
CVE-2026-45318

pip/open-webuiOpen WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)

Risk 19
Severity
3.5
First published (updated )
CVE-2026-45316
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203