Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

47 advisories

Loading
Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image High
CVE-2026-45314 was published for open-webui (pip) May 14, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, reindaelman, grumpinout1, and Classic298 JorianWoltjer JorianWoltjer
reindaelman reindaelman grumpinout1 grumpinout1 Classic298 Classic298
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions High
CVE-2026-45315 was published for open-webui (pip) May 14, 2026
maloleg Credited to maloleg and Classic298 Classic298 Classic298
Open WebUI has Stored Cross-Site Scripting In Profile Picture Moderate
CVE-2026-45299 was published for open-webui (pip) May 14, 2026
raresvis Credited to raresvis, Gh05t666nero, and Classic298 Gh05t666nero Gh05t666nero
Classic298 Classic298
Open WebUI Arbitrary File Write, Delete via Path Traversal High
CVE-2026-44565 was published for open-webui (pip) May 11, 2026
KoreLogicSecurityDisclosures Credited to KoreLogicSecurityDisclosures and Classic298 Classic298 Classic298
Open WebUI has stored XSS in Excel file preview High
CVE-2026-44549 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order Moderate
CVE-2026-44568 was published for open-webui (pip) May 8, 2026
morimori-dev Credited to morimori-dev and Classic298 Classic298 Classic298
Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search Moderate
CVE-2026-44560 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels Moderate
CVE-2026-44561 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO Moderate
CVE-2026-44564 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show Moderate
CVE-2026-44563 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's Model Import Overwrites Any Model Without Ownership Check Moderate
CVE-2026-44562 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels Moderate
CVE-2026-44559 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection Moderate
CVE-2026-44557 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite High
CVE-2026-44554 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants Moderate
CVE-2026-44558 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's responses passthrough endpoint lacks access control authorization High
CVE-2026-44556 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's Base Model Routing Bypasses Access Control via Model Chaining High
CVE-2026-44555 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning High
CVE-2026-44552 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access High
CVE-2026-44553 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts Moderate
CVE-2026-44550 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI has an LDAP Empty Password Authentication Bypass Critical
CVE-2026-44551 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
open-webui Vulnerable to Stored XSS via Model Description High
CVE-2026-44721 was published for open-webui (npm) May 8, 2026
fr0stydev Credited to fr0stydev and Classic298 Classic298 Classic298
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database