Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10110
Total
681
Critical
2907
High
3176
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-8656 | MEDIUM | 6.1 | Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON values and … | May 16, 2026 |
| CVE-2026-8681 | MEDIUM | 5.3 | The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the … | May 16, 2026 |
| CVE-2026-8704 | UNKNOWN | — | Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified. | May 15, 2026 |
| CVE-2026-8700 | UNKNOWN | — | Crypt::DSA versions before 1.20 for Perl generate seeds using rand. Seeds were generated using Perl's built-in rand function, which is predictable and unsuitable for security … | May 15, 2026 |
| CVE-2026-45667 | MEDIUM | 6.5 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, GET /api/v1/memories/ef is accessible without authentication and executes request.app.state.EMBEDDING_FUNCTION(...). … | May 15, 2026 |
| CVE-2026-45666 | MEDIUM | 6.5 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing … | May 15, 2026 |
| CVE-2026-45665 | HIGH | 8.1 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the … | May 15, 2026 |
| CVE-2026-45365 | MEDIUM | 5.4 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypass_filter parameter is exposed on the /openai/chat/completions … | May 15, 2026 |
| CVE-2026-45351 | MEDIUM | 6.5 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into the application, … | May 15, 2026 |
| CVE-2026-45350 | HIGH | 7.1 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which … | May 15, 2026 |
| CVE-2026-45347 | MEDIUM | 4.3 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.11, there is a blind server side request forgery (SSRF) … | May 15, 2026 |
| CVE-2026-45346 | UNKNOWN | — | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site Scripting vulnerability in Open WebUI … | May 15, 2026 |
| CVE-2026-45345 | MEDIUM | 6.5 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if … | May 15, 2026 |
| CVE-2026-45338 | HIGH | 7.7 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a Server-Side Request Forgery (SSRF) vulnerability exists in _process_picture_url() … | May 15, 2026 |
| CVE-2026-45318 | MEDIUM | 5.4 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview … | May 15, 2026 |
| CVE-2026-45317 | MEDIUM | 4.6 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found … | May 15, 2026 |
| CVE-2026-45316 | LOW | 3.5 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/{id}/pin endpoint performs a write operation (toggling … | May 15, 2026 |
| CVE-2026-45315 | HIGH | 8.7 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension … | May 15, 2026 |
| CVE-2026-45314 | UNKNOWN | — | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profile_image_url values, … | May 15, 2026 |
| CVE-2026-45303 | HIGH | 7.7 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected … | May 15, 2026 |
| CVE-2026-45301 | HIGH | 8.1 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.3.16, a missing permission check in all files related API … | May 15, 2026 |
| CVE-2026-45299 | MEDIUM | 5.4 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, the profile_image_url field on the user profile update form … | May 15, 2026 |
| CVE-2026-44571 | MEDIUM | 6.5 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, in standard channels (i.e., channels whose channel.type is neither … | May 15, 2026 |
| CVE-2026-44570 | HIGH | 8.3 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, authorization controls surrounding the memories API were inconsistent, resulting … | May 15, 2026 |
| CVE-2026-44569 | HIGH | 7.1 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, there's an IDOR in the channels message management system … | May 15, 2026 |