|
501
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview XSS (CVE-2026-44549).…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-45318
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
502
|
7.7 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a Server-Side Request Forgery (SSRF) vulnerability exists in _process_picture_url() …
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45338
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
503
|
4.6 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-W…
Update
|
CWE-20
CWE-352
Improper Input Validation
Origin Validation Error
|
CVE-2026-45317
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
504
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By …
Update
|
CWE-285
Improper Authorization
|
CVE-2026-45345
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
505
|
- |
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementa…
Update
|
CWE-80
Basic XSS
|
CVE-2026-45346
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
506
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.11, there is a blind server side request forgery (SSRF) via the PDF generate function. …
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45347
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
507
|
7.1 |
HIGH
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass to…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-45350
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
508
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into the application, a http://IP:8080/api/mode…
Update
|
CWE-200
Information Exposure
|
CVE-2026-45351
|
2026-05-19 02:36 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
509
|
4.3 |
MEDIUM
Network
|
dovecot
open-xchange
|
dovecot
|
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is lim…
Update
|
CWE-284
NVD-CWE-noinfo
Improper Access Control
|
CVE-2026-40020
|
2026-05-19 02:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
510
|
5.3 |
MEDIUM
Adjacent
|
dovecot
open-xchange
|
dovecot
|
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the c…
Update
|
CWE-99
Resource Injection
|
CVE-2026-33603
|
2026-05-19 02:35 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
