Vulnerabilities (CVE)

Filtered by vendor Openwebui Subscribe
Filtered by product Open Webui
Total 4 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-6707 2 Debian, Openwebui 2 Debian Linux, Open Webui 2024-11-21 N/A 8.8 HIGH
Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability.
CVE-2024-6706 2 Debian, Openwebui 2 Debian Linux, Open Webui 2024-11-21 N/A 6.1 MEDIUM
Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.
CVE-2024-7038 1 Openwebui 1 Open Webui 2024-11-03 N/A 2.7 LOW
An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existence and configuration of the file. This behavior allows an attacker to enumerate file names and traverse directories by observing the error messages, leading to potential exposure of sensitive information.
CVE-2024-7049 1 Openwebui 1 Open Webui 2024-10-17 N/A 5.4 MEDIUM
In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. This allows the user to perform actions without admin confirmation, bypassing the intended approval process.