Openwebui

Open Webui

48 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2025-63391

  • EPSS 0.06%
  • Veröffentlicht 18.12.2025 00:00:00
  • Zuletzt bearbeitet 22.01.2026 18:16:44

An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers.

5.4

CVE-2025-65959

Exploit
  • EPSS 0.06%
  • Veröffentlicht 04.12.2025 20:46:36
  • Zuletzt bearbeitet 10.12.2025 15:35:25

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS vulnerability was discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file con...

7.1

CVE-2025-65958

Exploit
  • EPSS 0.05%
  • Veröffentlicht 04.12.2025 19:55:13
  • Zuletzt bearbeitet 10.12.2025 15:18:38

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP reques...

4.3

CVE-2025-63681

Exploit
  • EPSS 0.02%
  • Veröffentlicht 04.12.2025 00:00:00
  • Zuletzt bearbeitet 05.12.2025 20:15:57

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.

8

CVE-2025-64496

Exploit
  • EPSS 0.14%
  • Veröffentlicht 08.11.2025 01:29:02
  • Zuletzt bearbeitet 26.11.2025 15:36:09

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to exe...

5.4

CVE-2025-64495

Exploit
  • EPSS 0.01%
  • Veröffentlicht 08.11.2025 01:25:48
  • Zuletzt bearbeitet 26.11.2025 15:36:59

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich T...

5.4

CVE-2025-46719

Exploit
  • EPSS 0.23%
  • Veröffentlicht 05.05.2025 18:50:56
  • Zuletzt bearbeitet 17.06.2025 20:18:16

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, a vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a ch...

5.4

CVE-2025-46571

Exploit
  • EPSS 0.15%
  • Veröffentlicht 05.05.2025 18:45:29
  • Zuletzt bearbeitet 17.06.2025 20:18:30

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, low privileged users can upload HTML files which contain JavaScript code via the `/api/v1/files/` backend endpoint. This endpoi...

3.3

CVE-2025-29446

Exploit
  • EPSS 0.07%
  • Veröffentlicht 21.04.2025 17:15:23
  • Zuletzt bearbeitet 28.05.2025 15:49:36

open-webui v0.5.16 is vulnerable to SSRF in routers/ollama.py in function verify_connection.

9

CVE-2024-8017

Exploit
  • EPSS 0.1%
  • Veröffentlicht 20.03.2025 10:11:31
  • Zuletzt bearbeitet 21.07.2025 20:08:16

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. This vulnerability allows attackers to perform operations with the victim's privileges, such as stealing chat ...