Published issues
Permalink
CVE-2026-44568
4.8 MEDIUM
-
CVSS version (CVSS): 3.1
-
Attack Vector (AV): Network (N)
-
Attack Complexity (AC): Low (L)
-
Privileges Required (PR): High (H)
-
User Interaction (UI): Required (R)
-
Scope (S): Changed (C)
-
Confidentiality (C): Low (L)
-
Integrity (I): Low (L)
-
Availability (A): None (N)
-
Modified Attack Vector (MAV): Network (N)
-
Modified Attack Complexity (MAC): Low (L)
-
Modified Privileges Required (MPR): High (H)
-
Modified User Interaction (MUI): Required (R)
-
Modified Confidentiality (MC): Low (L)
-
Modified Scope (MS): Changed (C)
-
Modified Integrity (MI): Low (L)
-
Modified Availability (MA): None (N)
updated
4 weeks, 1 day ago
by @LeSuisse
Activity log
-
Created suggestion
4 weeks, 1 day ago
-
@LeSuisse
accepted
4 weeks, 1 day ago
-
@LeSuisse
published on GitHub
4 weeks, 1 day ago
Open WebUI: Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order
Permalink
CVE-2026-44563
5.4 MEDIUM
-
CVSS version (CVSS): 3.1
-
Attack Vector (AV): Network (N)
-
Attack Complexity (AC): Low (L)
-
Privileges Required (PR): Low (L)
-
User Interaction (UI): None (N)
-
Scope (S): Unchanged (U)
-
Confidentiality (C): Low (L)
-
Integrity (I): None (N)
-
Availability (A): Low (L)
-
Modified Attack Vector (MAV): Network (N)
-
Modified Attack Complexity (MAC): Low (L)
-
Modified Privileges Required (MPR): Low (L)
-
Modified User Interaction (MUI): None (N)
-
Modified Confidentiality (MC): Low (L)
-
Modified Scope (MS): Unchanged (U)
-
Modified Integrity (MI): None (N)
-
Modified Availability (MA): Low (L)
updated
4 weeks, 1 day ago
by @LeSuisse
Activity log
-
Created suggestion
4 weeks, 1 day ago
-
@LeSuisse
accepted
4 weeks, 1 day ago
-
@LeSuisse
published on GitHub
4 weeks, 1 day ago
Open WebUI: Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show
Permalink
CVE-2026-45387
4.3 MEDIUM
-
CVSS version (CVSS): 3.1
-
Attack Vector (AV): Network (N)
-
Attack Complexity (AC): Low (L)
-
Privileges Required (PR): Low (L)
-
User Interaction (UI): None (N)
-
Scope (S): Unchanged (U)
-
Confidentiality (C): Low (L)
-
Integrity (I): None (N)
-
Availability (A): None (N)
-
Modified Attack Vector (MAV): Network (N)
-
Modified Attack Complexity (MAC): Low (L)
-
Modified Privileges Required (MPR): Low (L)
-
Modified User Interaction (MUI): None (N)
-
Modified Confidentiality (MC): Low (L)
-
Modified Scope (MS): Unchanged (U)
-
Modified Integrity (MI): None (N)
-
Modified Availability (MA): None (N)
updated
4 weeks, 1 day ago
by @LeSuisse
Activity log
-
Created suggestion
4 weeks, 1 day ago
-
@LeSuisse
accepted
4 weeks, 1 day ago
-
@LeSuisse
published on GitHub
4 weeks, 1 day ago
Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)
Permalink
CVE-2026-45671
8.0 HIGH
-
CVSS version (CVSS): 3.1
-
Attack Vector (AV): Network (N)
-
Attack Complexity (AC): Low (L)
-
Privileges Required (PR): Low (L)
-
User Interaction (UI): Required (R)
-
Scope (S): Unchanged (U)
-
Confidentiality (C): High (H)
-
Integrity (I): High (H)
-
Availability (A): High (H)
-
Modified Attack Vector (MAV): Network (N)
-
Modified Attack Complexity (MAC): Low (L)
-
Modified Privileges Required (MPR): Low (L)
-
Modified User Interaction (MUI): Required (R)
-
Modified Confidentiality (MC): High (H)
-
Modified Scope (MS): Unchanged (U)
-
Modified Integrity (MI): High (H)
-
Modified Availability (MA): High (H)
updated
4 weeks, 1 day ago
by @LeSuisse
Activity log
-
Created suggestion
4 weeks, 1 day ago
-
@LeSuisse
accepted
4 weeks, 1 day ago
-
@LeSuisse
published on GitHub
4 weeks, 1 day ago
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
Permalink
CVE-2026-44556
7.1 HIGH
-
CVSS version (CVSS): 3.1
-
Attack Vector (AV): Network (N)
-
Attack Complexity (AC): Low (L)
-
Privileges Required (PR): Low (L)
-
User Interaction (UI): None (N)
-
Scope (S): Unchanged (U)
-
Confidentiality (C): Low (L)
-
Integrity (I): None (N)
-
Availability (A): High (H)
-
Modified Attack Vector (MAV): Network (N)
-
Modified Attack Complexity (MAC): Low (L)
-
Modified Privileges Required (MPR): Low (L)
-
Modified User Interaction (MUI): None (N)
-
Modified Confidentiality (MC): Low (L)
-
Modified Scope (MS): Unchanged (U)
-
Modified Integrity (MI): None (N)
-
Modified Availability (MA): High (H)
updated
4 weeks, 1 day ago
by @LeSuisse
Activity log
-
Created suggestion
4 weeks, 1 day ago
-
@LeSuisse
accepted
4 weeks, 1 day ago
-
@LeSuisse
published on GitHub
4 weeks, 1 day ago
Open WebUI: responses passthrough endpoint lacks access control authorization
Permalink
CVE-2026-45318
5.4 MEDIUM
-
CVSS version (CVSS): 3.1
-
Attack Vector (AV): Network (N)
-
Attack Complexity (AC): Low (L)
-
Privileges Required (PR): Low (L)
-
User Interaction (UI): Required (R)
-
Scope (S): Changed (C)
-
Confidentiality (C): Low (L)
-
Integrity (I): Low (L)
-
Availability (A): None (N)
-
Modified Attack Vector (MAV): Network (N)
-
Modified Attack Complexity (MAC): Low (L)
-
Modified Privileges Required (MPR): Low (L)
-
Modified User Interaction (MUI): Required (R)
-
Modified Confidentiality (MC): Low (L)
-
Modified Scope (MS): Changed (C)
-
Modified Integrity (MI): Low (L)
-
Modified Availability (MA): None (N)
updated
4 weeks, 1 day ago
by @LeSuisse
Activity log
-
Created suggestion
4 weeks, 1 day ago
-
@LeSuisse
accepted
4 weeks, 1 day ago
-
@LeSuisse
published on GitHub
4 weeks, 1 day ago
Open WebUI: Stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)
Permalink
CVE-2026-45400
8.5 HIGH
-
CVSS version (CVSS): 3.1
-
Attack Vector (AV): Network (N)
-
Attack Complexity (AC): Low (L)
-
Privileges Required (PR): Low (L)
-
User Interaction (UI): None (N)
-
Scope (S): Changed (C)
-
Confidentiality (C): High (H)
-
Integrity (I): Low (L)
-
Availability (A): None (N)
-
Modified Attack Vector (MAV): Network (N)
-
Modified Attack Complexity (MAC): Low (L)
-
Modified Privileges Required (MPR): Low (L)
-
Modified User Interaction (MUI): None (N)
-
Modified Confidentiality (MC): High (H)
-
Modified Scope (MS): Changed (C)
-
Modified Integrity (MI): Low (L)
-
Modified Availability (MA): None (N)
updated
4 weeks, 1 day ago
by @LeSuisse
Activity log
-
Created suggestion
4 weeks, 1 day ago
-
@LeSuisse
accepted
4 weeks, 1 day ago
-
@LeSuisse
published on GitHub
4 weeks, 1 day ago
Open WebUI: Server-Side Request Forgery (SSRF) bypass in `validate_url`
Permalink
CVE-2026-45317
4.6 MEDIUM
-
CVSS version (CVSS): 3.1
-
Attack Vector (AV): Network (N)
-
Attack Complexity (AC): Low (L)
-
Privileges Required (PR): Low (L)
-
User Interaction (UI): Required (R)
-
Scope (S): Unchanged (U)
-
Confidentiality (C): Low (L)
-
Integrity (I): None (N)
-
Availability (A): Low (L)
-
Modified Attack Vector (MAV): Network (N)
-
Modified Attack Complexity (MAC): Low (L)
-
Modified Privileges Required (MPR): Low (L)
-
Modified User Interaction (MUI): Required (R)
-
Modified Confidentiality (MC): Low (L)
-
Modified Scope (MS): Unchanged (U)
-
Modified Integrity (MI): None (N)
-
Modified Availability (MA): Low (L)
updated
4 weeks, 1 day ago
by @LeSuisse
Activity log
-
Created suggestion
4 weeks, 1 day ago
-
@LeSuisse
accepted
4 weeks, 1 day ago
-
@LeSuisse
published on GitHub
4 weeks, 1 day ago
Open WebUI: Cross-Site Request Forgery (CSRF) via Image URL Manipulation
Permalink
CVE-2026-44559
4.3 MEDIUM
-
CVSS version (CVSS): 3.1
-
Attack Vector (AV): Network (N)
-
Attack Complexity (AC): Low (L)
-
Privileges Required (PR): Low (L)
-
User Interaction (UI): None (N)
-
Scope (S): Unchanged (U)
-
Confidentiality (C): Low (L)
-
Integrity (I): None (N)
-
Availability (A): None (N)
-
Modified Attack Vector (MAV): Network (N)
-
Modified Attack Complexity (MAC): Low (L)
-
Modified Privileges Required (MPR): Low (L)
-
Modified User Interaction (MUI): None (N)
-
Modified Confidentiality (MC): Low (L)
-
Modified Scope (MS): Unchanged (U)
-
Modified Integrity (MI): None (N)
-
Modified Availability (MA): None (N)
updated
4 weeks, 1 day ago
by @LeSuisse
Activity log
-
Created suggestion
4 weeks, 1 day ago
-
@LeSuisse
accepted
4 weeks, 1 day ago
-
@LeSuisse
published on GitHub
4 weeks, 1 day ago
Open WebUI: Missing Access Check on Channel Members Endpoint for Standard Channels
Permalink
CVE-2026-8669
6.5 MEDIUM
-
CVSS version (CVSS): 3.1
-
Attack Vector (AV): Network (N)
-
Attack Complexity (AC): Low (L)
-
Privileges Required (PR): None (N)
-
User Interaction (UI): None (N)
-
Scope (S): Unchanged (U)
-
Confidentiality (C): Low (L)
-
Integrity (I): Low (L)
-
Availability (A): None (N)
-
Modified Attack Vector (MAV): Network (N)
-
Modified Attack Complexity (MAC): Low (L)
-
Modified Privileges Required (MPR): None (N)
-
Modified User Interaction (MUI): None (N)
-
Modified Confidentiality (MC): Low (L)
-
Modified Scope (MS): Unchanged (U)
-
Modified Integrity (MI): Low (L)
-
Modified Availability (MA): None (N)
updated
4 weeks, 1 day ago
by @LeSuisse
Activity log
-
Created suggestion
4 weeks, 1 day ago
-
@LeSuisse
ignored
12 packages
- imager
- usbimager
- vcdimager
- rpi-imager
- gImageReader
- gimagereader
- gImageReader-qt
- gimagereader-qt
- perl540Packages.ImagerQRCode
- perl538Packages.ImagerQRCode
- perl5Packages.ImagerQRCode
- perlPackages.ImagerQRCode
4 weeks, 1 day ago
-
@LeSuisse
accepted
4 weeks, 1 day ago
-
@LeSuisse
published on GitHub
4 weeks, 1 day ago
Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files
Nixpkgs security tracker