Openwebui

Open Webui

43 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2025-64495

Exploit
  • EPSS 0.01%
  • Veröffentlicht 08.11.2025 01:25:48
  • Zuletzt bearbeitet 26.11.2025 15:36:59

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich T...

5.4

CVE-2025-46719

Exploit
  • EPSS 0.23%
  • Veröffentlicht 05.05.2025 18:50:56
  • Zuletzt bearbeitet 17.06.2025 20:18:16

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, a vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a ch...

5.4

CVE-2025-46571

Exploit
  • EPSS 0.15%
  • Veröffentlicht 05.05.2025 18:45:29
  • Zuletzt bearbeitet 17.06.2025 20:18:30

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, low privileged users can upload HTML files which contain JavaScript code via the `/api/v1/files/` backend endpoint. This endpoi...

3.3

CVE-2025-29446

Exploit
  • EPSS 0.07%
  • Veröffentlicht 21.04.2025 17:15:23
  • Zuletzt bearbeitet 28.05.2025 15:49:36

open-webui v0.5.16 is vulnerable to SSRF in routers/ollama.py in function verify_connection.

9

CVE-2024-8017

Exploit
  • EPSS 0.1%
  • Veröffentlicht 20.03.2025 10:11:31
  • Zuletzt bearbeitet 21.07.2025 20:08:16

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. This vulnerability allows attackers to perform operations with the victim's privileges, such as stealing chat ...

9

CVE-2024-7053

Exploit
  • EPSS 0.17%
  • Veröffentlicht 20.03.2025 10:11:16
  • Zuletzt bearbeitet 01.04.2025 20:33:49

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default `SameSite=Lax` and does not have the `Secure` flag enab...

8.2

CVE-2024-8053

Exploit
  • EPSS 0.78%
  • Veröffentlicht 20.03.2025 10:11:13
  • Zuletzt bearbeitet 27.03.2025 11:15:36

In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with ...

8.8

CVE-2024-7806

Exploit
  • EPSS 0.75%
  • Veröffentlicht 20.03.2025 10:11:05
  • Zuletzt bearbeitet 26.03.2025 16:46:35

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF to...

6.7

CVE-2024-7039

Exploit
  • EPSS 0.09%
  • Veröffentlicht 20.03.2025 10:11:02
  • Zuletzt bearbeitet 15.10.2025 13:15:50

In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_admi...

7.5

CVE-2024-12534

Exploit
  • EPSS 0.16%
  • Veröffentlicht 20.03.2025 10:10:52
  • Zuletzt bearbeitet 18.07.2025 19:59:05

In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead...