HIGH 8.7 npm
GHSA-8wvc-869r-xfqf · CVE-2025-65959 Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF'
Modified: 12/5/2025
package
npm / open-webui
pkg:npm/open-webui
HIGH 8.1 npm
GHSA-cqp4-qqvg-3787 · CVE-2026-45665 Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order
Modified: 5/19/2026
HIGH 7.2 npm
GHSA-p4fx-23fq-jfg6 · CVE-2026-45395 Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
Modified: 5/16/2026
MEDIUM npm
GHSA-r29h-37fj-x2w6 · CVE-2026-45346 Open WebUI Has Stored Cross-Site Scripting in SVG Renderer
Modified: 5/19/2026
HIGH 7.5 npm PyPI
GHSA-5ccf-884p-4jjq Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability
Modified: 4/15/2025
HIGH 7.5 PyPI npm
GHSA-chf7-q7m5-fq92 · CVE-2024-12537 Open WebUI Uncontrolled Resource Consumption vulnerability
Modified: 4/1/2025
HIGH 7.3 npm PyPI
GHSA-cm35-v4vp-5xvx · CVE-2025-64496 Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
Modified: 11/15/2025
HIGH 7.5 PyPI npm
GHSA-g3mx-83mp-3rwc · CVE-2024-12534 Open WebUI Uncontrolled Resource Consumption vulnerability
Modified: 3/21/2025
HIGH 7.3 npm PyPI
GHSA-gf5m-wcrh-7928 · CVE-2026-44721 open-webui Vulnerable to Stored XSS via Model Description
Modified: 5/16/2026
HIGH 8.7 npm PyPI
GHSA-w7xj-8fx7-wfch · CVE-2025-64495 Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
Modified: 11/27/2025