Vulnerabilities

Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.

Filtering: Group: cwe Clear
ID Title
CVE-2026-45401 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45401)
SSRF in open-webui (CVE-2026-45401). Confidential information can be exposed externally. Exploitable via ``requests``. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45400 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45400)
SSRF in open-webui (CVE-2026-45400). Confidential information can be exposed externally. Exploitable via ``requests``. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45399 Vulnerability in open-webui (CVE-2026-45399)
vulnerability in open-webui (CVE-2026-45399). Risk of unauthorized operations or information disclosure. Exploitable via `GET /api/tasks`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45397 Vulnerability in open-webui (CVE-2026-45397)
vulnerability in open-webui (CVE-2026-45397). Risk of unauthorized operations or information disclosure. Exploitable via `GET /api/v1/retrieval/`. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45395 Privilege Escalation in open-webui (CVE-2026-45395)
vulnerability in open-webui (CVE-2026-45395). Successful exploitation can lead to full system takeover. Exploitable via `POST /api/v1/tools/id/{id}/update`. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45387 Information Disclosure in open-webui (CVE-2026-45387)
vulnerability in open-webui (CVE-2026-45387). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.9.5` or later.
CVE-2026-45365 Vulnerability in open-webui (CVE-2026-45365)
vulnerability in open-webui (CVE-2026-45365). Risk of unauthorized operations or information disclosure. Exploitable via `POST /openai/chat/completions`. Mitigation: upgrade to `0.8.11` or later.
CVE-2026-45351 Information Disclosure in open-webui (CVE-2026-45351)
vulnerability in open-webui (CVE-2026-45351). Confidential information can be exposed externally. Exploitable via `GET /api/models`. Mitigation: upgrade to `0.8.9` or later.
CVE-2026-45350 Vulnerability in open-webui (CVE-2026-45350)
vulnerability in open-webui (CVE-2026-45350). Confidential information can be exposed externally. Exploitable via ``tool_id``. Mitigation: upgrade to `0.8.6` or later.
CVE-2026-45348 Cross-Site Scripting (XSS) in pyload-ng (CVE-2026-45348)
cross-site scripting in pyload-ng (CVE-2026-45348). Confidential information can be exposed externally. Exploitable via `POST /flash/add`.
CVE-2026-42570 Vulnerability in devalue (CVE-2026-42570)
vulnerability in devalue (CVE-2026-42570). Risk of unauthorized operations or information disclosure. Exploitable via ``devalue.parse``. Mitigation: upgrade to `5.8.1` or later.
CVE-2026-45347 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45347)
SSRF in open-webui (CVE-2026-45347). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/utils/pdf`. Mitigation: upgrade to `0.5.11` or later.
CVE-2026-45346 Vulnerability in open-webui (CVE-2026-45346)
vulnerability in open-webui (CVE-2026-45346). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.6.31` or later.
CVE-2026-45345 Vulnerability in open-webui (CVE-2026-45345)
vulnerability in open-webui (CVE-2026-45345). Data can be tampered with by attackers. Exploitable via `POST /api/v1/models/model/update`. Mitigation: upgrade to `0.5.7` or later.
CVE-2026-45339 Authorization Flaw in open-webu (CVE-2026-45339)
vulnerability in open-webu (CVE-2026-45339). Confidential information can be exposed externally. Exploitable via `Authorization header`. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45338 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45338)
SSRF in open-webui (CVE-2026-45338). Confidential information can be exposed externally. Exploitable via ``picture``. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-42599 Cross-Site Scripting (XSS) in svelte (CVE-2026-42599)
cross-site scripting in svelte (CVE-2026-42599). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `5.55.7` or later.
CVE-2026-45331 SSRF (Server-Side Request Forgery) in open-webui (CVE-2026-45331)
SSRF in open-webui (CVE-2026-45331). Confidential information can be exposed externally. Exploitable via ``validators``. Mitigation: upgrade to `0.9.0` or later.
CVE-2026-45317 Vulnerability in open-webui (CVE-2026-45317)
vulnerability in open-webui (CVE-2026-45317). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.9.3` or later.
CVE-2026-45318 Cross-Site Scripting (XSS) in open-webui (CVE-2026-45318)
cross-site scripting in open-webui (CVE-2026-45318). Risk of unauthorized operations or information disclosure. Exploitable via ``fileOfficeHtml``. Mitigation: upgrade to `0.8.0` or later.
CVE-2026-45316 Authorization Flaw in open-webui (CVE-2026-45316)
vulnerability in open-webui (CVE-2026-45316). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/notes/{id}/pin`. Mitigation: upgrade to `0.9.3` or later.
CVE-2026-45315 Unrestricted File Upload in open-webui (CVE-2026-45315)
vulnerability in open-webui (CVE-2026-45315). Confidential information can be exposed externally. Mitigation: upgrade to `0.9.3` or later.
CVE-2026-45306 Vulnerability in pyload-ng (CVE-2026-45306)
vulnerability in pyload-ng (CVE-2026-45306). Confidential information can be exposed externally. Exploitable via `GET /files/get/`.
CVE-2026-44636 Vulnerability in saitoha (CVE-2026-44636)
vulnerability in saitoha (CVE-2026-44636). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `1.8.7-r2` or later.
CVE-2026-44637 Vulnerability in saitoha (CVE-2026-44637)
vulnerability in saitoha (CVE-2026-44637). Data can be tampered with by attackers. Mitigation: upgrade to `1.8.7-r2` or later.
CVE-2026-44638 Vulnerability in dos (CVE-2026-44638)
vulnerability in dos (CVE-2026-44638). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `1.8.7-r2` or later.
CVE-2026-43909 Out-of-Bounds Read in openimageio (CVE-2026-43909)
vulnerability in openimageio (CVE-2026-43909). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.0.18.0` or later.
CVE-2026-43996 Out-of-Bounds Read in openimageio (CVE-2026-43996)
vulnerability in openimageio (CVE-2026-43996). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `3.0.18.0` or later.
CVE-2026-43905 Vulnerability in cpp (CVE-2026-43905)
vulnerability in cpp (CVE-2026-43905). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.0.18.0` or later.
CVE-2026-43907 Vulnerability in cpp (CVE-2026-43907)
vulnerability in cpp (CVE-2026-43907). Data can be tampered with by attackers. Mitigation: upgrade to `3.0.18.0` or later.
CVE-2026-43908 Vulnerability in openimageio (CVE-2026-43908)
vulnerability in openimageio (CVE-2026-43908). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.0.18.0` or later.
CVE-2026-43906 Vulnerability in openimageio (CVE-2026-43906)
vulnerability in openimageio (CVE-2026-43906). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.0.18.0` or later.
CVE-2026-43903 Out-of-Bounds Write in cpp (CVE-2026-43903)
out-of-bounds write in cpp (CVE-2026-43903). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.0.18.0` or later.
CVE-2026-43904 Out-of-Bounds Write in cpp (CVE-2026-43904)
out-of-bounds write in cpp (CVE-2026-43904). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.0.18.0` or later.
CVE-2026-45303 Cross-Site Scripting (XSS) in open-webui (CVE-2026-45303)
cross-site scripting in open-webui (CVE-2026-45303). Confidential information can be exposed externally. Exploitable via ``High``. Mitigation: upgrade to `0.6.5` or later.
CVE-2026-45301 Vulnerability in open-webui (CVE-2026-45301)
vulnerability in open-webui (CVE-2026-45301). Confidential information can be exposed externally. Exploitable via ``user_id``. Mitigation: upgrade to `0.3.16` or later.
CVE-2026-45058 Vulnerability in electerm (CVE-2026-45058)
vulnerability in electerm (CVE-2026-45058). Risk of unauthorized operations or information disclosure.
CVE-2026-45299 Cross-Site Scripting (XSS) in open-webui (CVE-2026-45299)
cross-site scripting in open-webui (CVE-2026-45299). Risk of unauthorized operations or information disclosure. Exploitable via `GET /api/v1/users/{user_id}/profile/image`. Mitigation: upgrade to `>= 0.8.0` or later.
CVE-2026-8596 Vulnerability in Amazon sagemaker (CVE-2026-8596)
vulnerability in Amazon sagemaker (CVE-2026-8596). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.8.0` or later.
CVE-2026-8621 Authentication Bypass in github.com/openclaw/crabbox (CVE-2026-8621)
authentication bypass in github.com/openclaw/crabbox (CVE-2026-8621). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `0.12.0` or later.
CVE-2026-44592 Vulnerability in CVE-2026-44592 (CVE-2026-44592)
vulnerability in CVE-2026-44592 (CVE-2026-44592). Data can be tampered with by attackers. Mitigation: upgrade to `1.1.1` or later.
CVE-2026-44633 Authorization Flaw in CVE-2026-44633 (CVE-2026-44633)
vulnerability in CVE-2026-44633 (CVE-2026-44633). Confidential information can be exposed externally.
CVE-2026-44589 SSRF (Server-Side Request Forgery) in nuxt-og-image (CVE-2026-44589)
SSRF in nuxt-og-image (CVE-2026-44589). Risk of unauthorized operations or information disclosure. Exploitable via ``isBlockedUrl``. Mitigation: upgrade to `6.4.9` or later.
CVE-2026-44523 Vulnerability in github.com/enchant97/note-mark/backend (CVE-2026-44523)
vulnerability in github.com/enchant97/note-mark/backend (CVE-2026-44523). Confidential information can be exposed externally. Exploitable via ``JWT_SECRET``. Mitigation: upgrade to `0.0.0-20260501152247-18b587758667` or later.
CVE-2026-44522 Vulnerability in github.com/enchant97/note-mark/backend (CVE-2026-44522)
vulnerability in github.com/enchant97/note-mark/backend (CVE-2026-44522). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/notes/{noteID}/assets`. Mitigation: upgrade to `0.0.0-20260501152243-db3f72bff780` or later.
CVE-2026-44586 Cross-Site Scripting (XSS) in CVE-2026-44586 (CVE-2026-44586)
cross-site scripting in CVE-2026-44586 (CVE-2026-44586). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.7.0` or later.
CVE-2026-41315 OS Command Injection in midoks (CVE-2026-41315)
OS command injection in midoks (CVE-2026-41315). Successful exploitation can lead to full system takeover.
CVE-2026-27680 Vulnerability in sap (CVE-2026-27680)
vulnerability in sap (CVE-2026-27680). Risk of unauthorized operations or information disclosure.
CVE-2026-44541 Cross-Site Scripting (XSS) in ethyca-fides (CVE-2026-44541)
cross-site scripting in ethyca-fides (CVE-2026-44541). Risk of unauthorized operations or information disclosure. Exploitable via ``fides.js``. Mitigation: upgrade to `2.84.5` or later.
CVE-2026-42897 KEV [KEV] Cross-Site Scripting (XSS) in Microsoft exchange-server (CVE-2026-42897)
cross-site scripting in Microsoft exchange-server (CVE-2026-42897). Confidential information can be exposed externally. Listed in CISA KEV — actively exploited.

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →