open-webui

npm5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting open-webuipage 1 of 1

CVE-2025-64496HIGHCVSS 7.3EG 7.3✓ Fixed in 0.6.35
2025-11-08
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model ser…
CVE-2026-44721HIGHCVSS 7.3EG 7.3✓ Fixed in 0.9.0
2026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspa…
CVE-2026-45346MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.6.31
2026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation. This vulnerability is fixed in 0.6…
CVE-2026-45395HIGHCVSS 7.2EG 7.2✓ Fixed in 0.9.5
2026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint (POST /api/v1/tools/id/{id}/update) is missing the workspace.tools permission check that is present…
CVE-2026-45665HIGHCVSS 8.1EG 8.1✓ Fixed in 0.8.0
2026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Banner component due to an improper sanitization order (spec…

Check whether open-webui is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for open-webui CVEs against the assets you own.

Start Free Scan →