CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.13)

CVE-2026-54019
Medium

Open WebUI is a self-hosted artificial intelligence platform that prior to version 0.9.6 added collection-level ACL checks. However, in Milvus multitenancy mode, these checks can be bypassed, leading to potential unauthorized access to resources.

CVE-2026-54018
High

Open WebUI is an artificial intelligence platform that prior to version 0.9.6 had a vulnerability in the validate_url function in SafePlaywrightURLLoader, allowing SSRF attacks. The URL validation was only performed on the initial URL, enabling attackers to bypass protections using HTTP redirects.

CVE-2026-54016
Medium

Open WebUI is a self-hosted artificial intelligence platform that prior to version 0.9.6 had a Broken Object Level Authorization (BOLA) vulnerability in the search_knowledge_files tool. This allows an authenticated user to access metadata from private or restricted knowledge base files without proper permissions.

CVE-2026-54015
Medium

Open WebUI prior to version 0.9.6 has a vulnerability that allows authenticated users to access the private prompt history of other users. The issues occur in the version history endpoints that do not verify if the history entry belongs to the correct prompt.

CVE-2026-54014
Medium

In Open WebUI prior to version 0.9.6, a path traversal vulnerability exists in the cache file serving endpoint that allows authenticated users to read files from sibling directories outside the intended cache directory.

CVE-2026-54013
High

In Open WebUI prior to version 0.9.6, an SVG XSS vulnerability was found in model profile images. An authenticated user with the default workspace.models permission can store malicious code in a model's profile image, leading to full account takeover of anyone who views the image.

CVE-2026-54012
High

Open WebUI prior to version 0.9.6 allows users to store arbitrary meta.knowledge entries in models without checking file permissions. This enables malicious model owners to access private files of other users.

CVE-2026-54011
High

Open WebUI prior to version 0.9.6 renders Mermaid blocks from Markdown files in the file preview panel, allowing for the injection of malicious JavaScript code into the DOM. Due to the securityLevel: 'loose' setting, attacker-controlled content can be rendered unsafely.

CVE-2026-54010
High

Open WebUI is an artificial intelligence platform that, prior to version 0.9.6, allowed authenticated users to attach arbitrary file_id values to their chat messages without verifying ownership. This enables attackers to access victim files by sharing the chat.

CVE-2026-54009
Medium

In Open WebUI prior to version 0.9.6, a vulnerability allows an authenticated user to access other users' files by manipulating the image_url.url parameter in the POST /api/chat/completions request. If this value does not start with http://, https://, or data:image/, it is interpreted as a file id, allowing access to the file content without permission checks.

CVE-2026-54008
High

In Open WebUI prior to version 0.9.6, a vulnerability allows an attacker with a valid OAuth identity to submit a public URL that redirects to an internal address. This enables the attacker to read the internal response from their own profile_image_url field.

CVE-2026-54007
Medium

Open WebUI before version 0.9.6 has a vulnerability where the chat message listener accepts `input:prompt` and `action:submit` messages from non-same-origin sources. An external site can set prompt text and trigger `submitPrompt()` in an authenticated victim session, leading to unauthorized POST requests to API endpoints.

CVE-2026-54006
Medium

In Open WebUI prior to version 0.9.6, there is a vulnerability that allows regular user-role accounts to move events between other users' calendars without proper permissions. This vulnerability stems from the lack of validation of the destination calendar_id in the event update request.

CVE-2026-53662
Critical

Immich, a photo and video management solution, has a reflected XSS vulnerability on the /auth/login page. An attacker can take over an authenticated user's account with a single link click.

CVE-2026-52846
Medium

Caddy before version 2.11.4 has a vulnerability in the stripHTML template function that cannot reliably remove all HTML tags from input strings. Malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output.

CVE-2026-52845
High

Caddy before version 2.11.4 has a vulnerability in the forward_auth copy_headers mechanism that allows a remote client to bypass identity header deletion and inject its own headers into PHP/FastCGI applications. This occurs because Caddy normalizes HTTP headers into CGI variables by replacing hyphens with underscores, enabling the attacker to use an underscore alias.

CVE-2026-52844
High

Caddy before version 2.11.4 on Windows incorrectly handles path separators in path matchers, allowing bypass of access controls to protected directories. An unauthenticated remote attacker can access protected resources.

CVE-2026-50221
Medium

In OpenStack Swift before version 2.37.2, the proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwarding them to object-servers. An authenticated user with write access can inject these headers to redirect container update requests to an attacker-controlled server, enabling server-side request forgery (SSRF).

CVE-2026-49983
Medium

In Deno prior to 2.8.1, the process.loadEnvFile() function does not honor environment permission restrictions (--deny-env). It allows writing variables from a .env file into the process even when environment access is denied.

CVE-2026-49860
Medium

In Deno prior to 2.8.1, when a WebSocket connection was opened, only the destination hostname was checked against --deny-net rules, but the IP addresses that hostname resolved to were not re-checked. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely.

PreviousPage 216 of 4552Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS