Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

32 advisories

Loading
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts High
CVE-2026-45675 was published for open-webui (pip) May 14, 2026
sfwani Credited to sfwani and Classic298 Classic298 Classic298
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints High
CVE-2026-45402 was published for open-webui (pip) May 14, 2026
MrBeard-FT Credited to MrBeard-FT and Classic298 Classic298 Classic298
Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-2025-65958) High
CVE-2026-45401 was published for open-webui (pip) May 14, 2026
tenbbughunters Credited to tenbbughunters, YLChen-007, sneaXOR, Classic298, and nayakchinmohan YLChen-007 YLChen-007
sneaXOR sneaXOR Classic298 Classic298 nayakchinmohan nayakchinmohan
Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url` High
CVE-2026-45400 was published for open-webui (pip) May 14, 2026
Fushuling Credited to Fushuling, RacerZ-fighting, and Classic298 RacerZ-fighting RacerZ-fighting
Classic298 Classic298
Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint Moderate
CVE-2026-45386 was published for open-webui (pip) May 14, 2026
kikayli Credited to kikayli and Classic298 Classic298 Classic298
Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint Moderate
CVE-2026-45385 was published for open-webui (pip) May 14, 2026
kikayli Credited to kikayli and Classic298 Classic298 Classic298
Open WebUI's API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints Moderate
CVE-2026-45339 was published for open-webu (pip) May 14, 2026
aliceQWAS Credited to aliceQWAS and Classic298 Classic298 Classic298
Open WebUI has a full SSRF Vulnerability in the RAG Web Search Feature High
CVE-2026-45331 was published for open-webui (pip) May 14, 2026
dkonis Credited to dkonis, wlayzz, and Classic298 wlayzz wlayzz
Classic298 Classic298
Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation Moderate
CVE-2026-45317 was published for open-webui (pip) May 14, 2026
bray-sec Credited to bray-sec and Classic298 Classic298 Classic298
Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access) Low
CVE-2026-45316 was published for open-webui (pip) May 14, 2026
qi-scape Credited to qi-scape and Classic298 Classic298 Classic298
Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image High
CVE-2026-45314 was published for open-webui (pip) May 14, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, reindaelman, grumpinout1, and Classic298 JorianWoltjer JorianWoltjer
reindaelman reindaelman grumpinout1 grumpinout1 Classic298 Classic298
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions High
CVE-2026-45315 was published for open-webui (pip) May 14, 2026
maloleg Credited to maloleg and Classic298 Classic298 Classic298
Open WebUI has Stored Cross-Site Scripting In Profile Picture Moderate
CVE-2026-45299 was published for open-webui (pip) May 14, 2026
raresvis Credited to raresvis, Gh05t666nero, and Classic298 Gh05t666nero Gh05t666nero
Classic298 Classic298
Open WebUI Arbitrary File Write, Delete via Path Traversal High
CVE-2026-44565 was published for open-webui (pip) May 11, 2026
KoreLogicSecurityDisclosures Credited to KoreLogicSecurityDisclosures and Classic298 Classic298 Classic298
Open WebUI has stored XSS in Excel file preview High
CVE-2026-44549 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order Moderate
CVE-2026-44568 was published for open-webui (pip) May 8, 2026
morimori-dev Credited to morimori-dev and Classic298 Classic298 Classic298
Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search Moderate
CVE-2026-44560 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels Moderate
CVE-2026-44561 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO Moderate
CVE-2026-44564 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show Moderate
CVE-2026-44563 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's Model Import Overwrites Any Model Without Ownership Check Moderate
CVE-2026-44562 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels Moderate
CVE-2026-44559 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection Moderate
CVE-2026-44557 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite High
CVE-2026-44554 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants Moderate
CVE-2026-44558 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database