CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
Open WebUI is a self-hosted artificial intelligence platform that prior to version 0.9.6 added collection-level ACL checks. However, in Milvus multitenancy mode, these checks can be bypassed, leading to potential unauthorized access to resources.
Open WebUI is an artificial intelligence platform that prior to version 0.9.6 had a vulnerability in the validate_url function in SafePlaywrightURLLoader, allowing SSRF attacks. The URL validation was only performed on the initial URL, enabling attackers to bypass protections using HTTP redirects.
Open WebUI is a self-hosted artificial intelligence platform that prior to version 0.9.6 had a Broken Object Level Authorization (BOLA) vulnerability in the search_knowledge_files tool. This allows an authenticated user to access metadata from private or restricted knowledge base files without proper permissions.
Open WebUI prior to version 0.9.6 has a vulnerability that allows authenticated users to access the private prompt history of other users. The issues occur in the version history endpoints that do not verify if the history entry belongs to the correct prompt.
In Open WebUI prior to version 0.9.6, a path traversal vulnerability exists in the cache file serving endpoint that allows authenticated users to read files from sibling directories outside the intended cache directory.
In Open WebUI prior to version 0.9.6, an SVG XSS vulnerability was found in model profile images. An authenticated user with the default workspace.models permission can store malicious code in a model's profile image, leading to full account takeover of anyone who views the image.
Open WebUI prior to version 0.9.6 allows users to store arbitrary meta.knowledge entries in models without checking file permissions. This enables malicious model owners to access private files of other users.
Open WebUI prior to version 0.9.6 renders Mermaid blocks from Markdown files in the file preview panel, allowing for the injection of malicious JavaScript code into the DOM. Due to the securityLevel: 'loose' setting, attacker-controlled content can be rendered unsafely.
Open WebUI is an artificial intelligence platform that, prior to version 0.9.6, allowed authenticated users to attach arbitrary file_id values to their chat messages without verifying ownership. This enables attackers to access victim files by sharing the chat.
In Open WebUI prior to version 0.9.6, a vulnerability allows an authenticated user to access other users' files by manipulating the image_url.url parameter in the POST /api/chat/completions request. If this value does not start with http://, https://, or data:image/, it is interpreted as a file id, allowing access to the file content without permission checks.
In Open WebUI prior to version 0.9.6, a vulnerability allows an attacker with a valid OAuth identity to submit a public URL that redirects to an internal address. This enables the attacker to read the internal response from their own profile_image_url field.
Open WebUI before version 0.9.6 has a vulnerability where the chat message listener accepts `input:prompt` and `action:submit` messages from non-same-origin sources. An external site can set prompt text and trigger `submitPrompt()` in an authenticated victim session, leading to unauthorized POST requests to API endpoints.
In Open WebUI prior to version 0.9.6, there is a vulnerability that allows regular user-role accounts to move events between other users' calendars without proper permissions. This vulnerability stems from the lack of validation of the destination calendar_id in the event update request.
Immich, a photo and video management solution, has a reflected XSS vulnerability on the /auth/login page. An attacker can take over an authenticated user's account with a single link click.
Caddy before version 2.11.4 has a vulnerability in the stripHTML template function that cannot reliably remove all HTML tags from input strings. Malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output.
Caddy before version 2.11.4 has a vulnerability in the forward_auth copy_headers mechanism that allows a remote client to bypass identity header deletion and inject its own headers into PHP/FastCGI applications. This occurs because Caddy normalizes HTTP headers into CGI variables by replacing hyphens with underscores, enabling the attacker to use an underscore alias.
Caddy before version 2.11.4 on Windows incorrectly handles path separators in path matchers, allowing bypass of access controls to protected directories. An unauthenticated remote attacker can access protected resources.
In OpenStack Swift before version 2.37.2, the proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwarding them to object-servers. An authenticated user with write access can inject these headers to redirect container update requests to an attacker-controlled server, enabling server-side request forgery (SSRF).
In Deno prior to 2.8.1, the process.loadEnvFile() function does not honor environment permission restrictions (--deny-env). It allows writing variables from a .env file into the process even when environment access is denied.
In Deno prior to 2.8.1, when a WebSocket connection was opened, only the destination hostname was checked against --deny-net rules, but the IP addresses that hostname resolved to were not re-checked. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely.

