|
721
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview XSS (CVE-2026-44549).…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-45318
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
722
|
7.7 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a Server-Side Request Forgery (SSRF) vulnerability exists in _process_picture_url() …
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45338
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
723
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By …
Update
|
CWE-285
Improper Authorization
|
CVE-2026-45345
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
724
|
- |
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementa…
Update
|
CWE-80
Basic XSS
|
CVE-2026-45346
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
725
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.11, there is a blind server side request forgery (SSRF) via the PDF generate function. …
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45347
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
726
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into the application, a http://IP:8080/api/mode…
Update
|
CWE-200
Information Exposure
|
CVE-2026-45351
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
727
|
7.1 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass to…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-45350
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
728
|
4.3 |
MEDIUM
Network
|
dovecot
open-xchange
|
dovecot
|
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is lim…
Update
|
CWE-284
NVD-CWE-noinfo
Improper Access Control
|
CVE-2026-40020
|
2026-05-19 02:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
729
|
5.3 |
MEDIUM
Adjacent
|
dovecot
open-xchange
|
dovecot
|
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the c…
Update
|
CWE-99
Resource Injection
|
CVE-2026-33603
|
2026-05-19 02:35 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
730
|
6.5 |
MEDIUM
Network
|
dovecot
open-xchange
|
dovecot
|
Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to deg…
Update
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-40016
|
2026-05-19 02:34 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
