Vulnerabilities

search
ID
Packages
Summary
Published
arrow_upward
Attributes
GHSA-5v57-8rxj-3p2r
  • PyPI/utcp-cli
 python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection 3 hours ago
  • Fix available
  • Severity - 7.7 (High)
GHSA-33p6-5jxp-p3x4
  • PyPI/utcp-cli
 utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol 3 hours ago
  • Fix available
  • Severity - 10.0 (Critical)
MAL-2026-3743
  • PyPI/sol-batch-transfer-sdk
 Malicious code in sol-batch-transfer-sdk (PyPI) 3 hours ago
  • No fix available
GHSA-h3ww-q6xx-w7x3
  • PyPI/open-webui
 Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts 3 hours ago
  • Fix available
  • Severity - 8.1 (High)
GHSA-482j-2pq6-q5w4
  • PyPI/open-webui
 Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed 3 hours ago
  • Fix available
  • Severity - 8.8 (High)
GHSA-26g9-27vm-x3q8
  • PyPI/open-webui
 Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion 3 hours ago
  • Fix available
  • Severity - 8.0 (High)
GHSA-m69w-p7m4-585j
  • PyPI/open-webui
 Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS) 3 hours ago
  • Fix available
  • Severity - 6.5 (Medium)
GHSA-x3qm-p8hr-3c3h
  • PyPI/open-webui
 Open WebUI has an Indirect Object Reference (IDOR) in user notes 3 hours ago
  • Fix available
  • Severity - 6.5 (Medium)
GHSA-r472-mw7m-967f
  • PyPI/open-webui
 Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints 3 hours ago
  • Fix available
  • Severity - 8.1 (High)
GHSA-3wgj-c2hg-vm6q
  • PyPI/open-webui
 Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url 3 hours ago
  • Fix available
  • Severity - 7.3 (High)
GHSA-rh5x-h6pp-cjj6
  • PyPI/open-webui
 Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-2025-65958) 3 hours ago
  • Fix available
  • Severity - 8.5 (High)
GHSA-8w7q-q5jp-jvgx
  • PyPI/open-webui
 Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url` 3 hours ago
  • Fix available
  • Severity - 8.5 (High)
GHSA-8jjp-r2w2-4v22
  • PyPI/open-webui
 Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption 3 hours ago
  • Fix available
  • Severity - 7.1 (High)
GHSA-4g37-7p2c-38r9
  • PyPI/open-webui
 Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls 3 hours ago
  • Fix available
  • Severity - 7.5 (High)
GHSA-65pg-qhhw-mxwg
  • PyPI/open-webui
 Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure 3 hours ago
  • Fix available
  • Severity - 5.3 (Medium)
GHSA-rjmp-vjf2-qf4g
  • PyPI/open-webui
 Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation 3 hours ago
  • Fix available
  • Severity - 5.4 (Medium)
Load more...