| CVE-2026-45665 |
high |
8.1 |
8.1 |
|
|
|
19d ago |
Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order |
| CVE-2026-44721 |
high |
7.3 |
7.3 |
|
|
|
19d ago |
open-webui Vulnerable to Stored XSS via Model Description |
| CVE-2026-45395 |
high |
7.2 |
7.2 |
|
|
|
19d ago |
Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution |
| CVE-2026-45346 |
medium |
5.4 |
5.4 |
|
|
|
19d ago |
Open WebUI Has Stored Cross-Site Scripting in SVG Renderer |
| CVE-2025-65959 |
unknown |
— |
— |
|
|
|
6mo ago |
Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF' |
| CVE-2025-64496 |
unknown |
— |
— |
|
|
|
7mo ago |
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events |
| CVE-2025-64495 |
unknown |
— |
— |
|
|
|
7mo ago |
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE |
| CVE-2024-12534 |
unknown |
— |
— |
|
|
|
1y ago |
Open WebUI Uncontrolled Resource Consumption vulnerability |
| CVE-2024-12537 |
unknown |
— |
— |
|
|
|
1y ago |
Open WebUI Uncontrolled Resource Consumption vulnerability |
