Open WebUI versions ≤0.9.4 allow authenticated users to bypass SSRF protections and read internal network resources via HTTP redirect-following. The vulnerability exists in five distinct code paths: web-fetch retrieval, image-loading endpoints, chat-completion image inlining, and OAuth/tool-server execution flows. Any authenticated user can submit a public URL that 302-redirects to internal addresses (127.0.0.1, 169.254.169.254 cloud metadata, RFC1918 private networks) and receive the response body. The vendor confirms active exploitation in the wild was NOT observed, but publicly available exploit code exists (PoC in advisory) and EPSS score of 0.00043 (4.3%) suggests low automated scanning targeting at time of analysis. Fixed in version 0.9.5 released March 2025.
URL parser mismatch in Open WebUI allows authenticated users to bypass SSRF protections and access internal network resources. The validate_url function uses Python's urlparse library to extract hostnames for validation, while the requests library handles actual HTTP requests. These libraries disagree on parsing URLs containing backslash characters (e.g., http://127.0.0.1:6666\@1.1.1.1), allowing attackers to craft URLs that pass validation as external addresses but resolve to internal hosts. Exploitation requires low-privilege authentication but no user interaction, enabling access to cloud metadata endpoints and internal services. Fixed in version 0.9.5 per GitHub advisory GHSA-8w7q-q5jp-jvgx.
Server-Side Request Forgery in Open WebUI's `validate_url()` function allows authenticated attackers to reach internal IPv4/IPv6 addresses, bypassing security controls via three distinct flaws: the validators library silently fails on IPv6 private-address checks (raising ValidationError which evaluates as falsy), IPv4-mapped IPv6 addresses (::ffff:10.0.0.1) evade IPv4 filtering entirely, and multiple IANA-reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24, 198.18.0.0/15, 203.0.113.0/24) remain unblocked. The vulnerability persists in the RAG web search, image editing, and other endpoints despite an earlier incomplete remediation attempt (CVE-2025-65958), enabling exfiltration of AWS IMDSv1 credentials and access to localhost-bound services. Publicly available exploit code exists (demonstrated POC in advisory), affecting Open WebUI ≤0.8.12 with fix released in version 0.9.0.
Authenticated regular users with container-creation rights in Portainer can mount arbitrary host filesystem paths into their containers by bypassing the 'Disable bind mounts for non-administrators' security control via HostConfig.Mounts instead of HostConfig.Binds, enabling root-level access to sensitive host files, Docker socket takeover, and container escape on shared Docker environments. The vulnerability is confirmed actively exploited based on seven independent security researcher reports, with vendor-released patches available across all supported branches (2.33.8, 2.39.2, 2.41.0). CVSS 8.5 reflects network exploitation with low complexity and changed scope impact, though real-world risk depends heavily on whether multi-tenant environments rely on this control as their primary container isolation mechanism.
Heap-based buffer overflow in OpenImageIO's HEIF decoder enables arbitrary code execution via crafted image files. Affects OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0. Exploitation requires local access and user interaction (opening a malicious image file), but no authentication. Attack complexity is low once the malicious file is delivered. Vendor-released patches available in versions 3.0.18.0 and 3.1.13.0. No confirmed active exploitation (not listed in CISA KEV) and no public POC identified at time of analysis, though the technical details suggest straightforward exploitation once the attacker can deliver a crafted HEIF image to a target user.
Heap buffer overflow in OpenImageIO's SGI image decoder allows arbitrary code execution via specially crafted .sgi files. Affects versions before 3.0.18.0 and 3.1.13.0 when processing malicious SGI images with invalid RLE compression parameters. Publicly available exploit code exists (SSVC POC status confirmed). Attack requires local file access and user interaction to open the malicious file, but CVSS 8.4 reflects high impact potential (code execution) in VFX/animation production environments where SGI format handling is common. EPSS data unavailable, not listed in CISA KEV.
Heap buffer overflow in OpenImageIO versions before 3.0.18.0 and 3.1.13.0 allows local attackers to corrupt up to 65,535 bytes of memory via malicious Softimage .pic files. The vulnerability arises when processing RLE-compressed images where run-length validation is missing in two code paths (softimageinput.cpp lines 469 and 345), though the raw packet path correctly implements bounds checking. EPSS data not available. Not listed in CISA KEV. Patches released by Academy Software Foundation in versions 3.0.18.0 and 3.1.13.0.
Path traversal in STIGQter 0.1.2 through 1.2.6 allows local code execution when users open malicious .stigqter files and explicitly run the 'Export HTML' action. The CWE-22 path traversal flaw enables attackers to write arbitrary files with the victim's privileges, achieving code execution. User interaction is mandatory - victims must both open a crafted file and trigger the specific export function. No public exploit code or active exploitation has been identified at time of analysis, though the attack path is straightforward for targeted social engineering. Fixed in version 1.2.7 per vendor advisory.
Insufficient policy enforcement in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)
Out of bounds write in Codecs in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)
Out of bounds write in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Integer overflow in GPU in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Network in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in HID in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Aura in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Input in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in FileSystem in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Race in Payments in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Cross-user authorization bypass in n8n's OAuth1/OAuth2 credential reconnect endpoints allows authenticated users with read-only access to shared credentials to overwrite stored OAuth tokens with attacker-controlled ones. Affects n8n versions prior to 1.123.43, 2.20.7, and 2.21.1 where credentials are shared between users or projects. No public exploit identified at time of analysis, and EPSS score is low (0.04%), but the flaw enables persistent hijacking of shared integrations and downstream workflow execution under the attacker's identity.
Heap buffer overflow in OpenImageIO 3.0.x (before 3.0.18.0) and 3.1.x (before 3.1.13.0) allows remote attackers to achieve denial of service or potentially arbitrary code execution via crafted DPX image files. The vulnerability stems from signed integer overflow in buffer size calculations within the DPX color converter, causing undersized heap allocations. Attack requires victim to open a malicious DPX file (user interaction required per CVSS UI:R). No public exploit code or active exploitation confirmed at time of analysis, though the technical details in the GitHub advisory provide sufficient detail for proof-of-concept development.
Stored cross-site scripting in SiYuan's Bazaar marketplace (versions 2.1.12 through 3.6.x) enables arbitrary code execution on the host system. The vulnerability stems from unescaped package author metadata rendering, which when exploited through a malicious marketplace package, allows attackers to leverage SiYuan's insecure Electron configuration (nodeIntegration enabled, contextIsolation disabled) to execute Node.js APIs and OS-level commands. No public exploit or active exploitation confirmed at time of analysis. CVSS 8.3 with high attack complexity and required user interaction suggests real-world exploitation depends on convincing users to view crafted marketplace entries.
Memory exhaustion in Elixir Plug 1.4.0 through 1.19.1 allows remote unauthenticated attackers to crash BEAM VM processes via unbounded buffer accumulation during multipart/form-data header parsing. The vulnerability mirrors CVE-2026-8466 in Cowboy: read_part_headers/2 recursively accumulates incoming bytes without size limits when parsing malformed multipart requests that never deliver complete header sections. Vendor-released patches available for all affected branches. No public exploit identified at time of analysis, but exploitation requires only basic HTTP client tools.
Remote code execution in CoreShop's GitHub Actions CI/CD pipeline allows unauthenticated attackers to compromise the build infrastructure and exfiltrate repository secrets by submitting a malicious pull request. The vulnerability stems from the dangerous combination of pull_request_target trigger with unverified code checkout, enabling attackers to execute arbitrary commands (bin/console) on GitHub-hosted runners with access to sensitive credentials including PIMCORE_SECRET and PIMCORE_PRODUCT_KEY. This 'Pwn Request' attack pattern (CWE-94: Code Injection) affects version 5.0.0 with no vendor patch currently released. The attack requires zero authentication (PR:N) and low complexity (AC:L), representing a critical supply chain security risk for organizations using CoreShop.
JWT authentication bypass in Fleet's Windows MDM enrollment allows attackers with access to any Azure AD tenant to enroll unauthorized devices and access management APIs. Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but fails to verify 'aud' (audience) or 'iss' (issuer) claims, accepting any Microsoft-signed token with the expected scopes. This enables unauthorized device enrollment and potential exposure of enrollment secrets embedded in MDM payloads. Vendor-released patch available in Fleet v4.82.0 (March 2026). No evidence of active exploitation (not in CISA KEV) at time of analysis, though the vulnerability was responsibly disclosed by security researcher @zaddy6.
Prototype pollution in @ranfdev/deepobj npm package (versions ≤1.0.2) allows remote unauthenticated attackers to modify JavaScript object prototypes when property paths containing '__proto__', 'constructor', or 'prototype' are processed. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation against network-accessible applications, though real-world impact depends critically on whether user-controlled input is passed to property path parameters. EPSS data unavailable; not listed in CISA KEV. Publicly available exploit code exists (GitHub advisory GHSA-x7q7-fchv-8h2j). Vendor-released patch available in version 1.0.3.
Insecure Direct Object Reference in the WordPress Fluent Forms plugin (versions through 6.2.0) allows authenticated users with Fluent Forms manager-level privileges to bypass form-level access controls via the exportEntries function. Attackers can exfiltrate submissions from forms they should not access, export data from arbitrary database tables, and enumerate table names through error message disclosure. No public exploit identified at time of analysis, and EPSS probability is very low (0.03%) despite the high CVSS score.
Authorization bypass in the Fluent Forms WordPress plugin (versions ≤6.1.21) allows authenticated Fluent Forms Managers to read, modify, annotate, and delete submissions belonging to forms outside their assigned scope by tampering with a user-controlled form_id query parameter. The flaw stems from the SubmissionPolicy class trusting client-supplied input for authorization decisions, granting cross-form access despite role restrictions. No public exploit identified at time of analysis, and EPSS exploitation probability remains low at 0.03%.
Client certificate validation bypass in Fleet's Windows MDM management endpoint allows remote attackers to impersonate enrolled devices and exfiltrate sensitive configuration data. With high attack complexity (CVSS:4.0 AV:N/AC:H), attackers possessing a valid device identifier can retrieve MDM payloads containing Wi-Fi credentials, VPN configurations, certificates, and other secrets. Vendor-released patch (Fleet v4.81.0) available. No public exploit or CISA KEV listing identified at time of analysis, though CVSS 8.2 severity reflects potential for credential theft and lateral movement.
Account takeover in ApostropheCMS password reset flow allows remote attackers to steal password reset tokens via Host header injection. When apos.baseUrl is not configured (common in development and some production deployments), the password reset mechanism trusts the attacker-controlled HTTP Host header to construct reset URLs, causing victims to receive legitimate reset emails with links pointing to attacker domains. Clicking the link delivers valid reset tokens to the attacker, enabling full account compromise. CVSS 8.1 (High) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given the detailed technical disclosure in the GitHub security advisory.
Multiple concurrent LDAP or OAuth first-login requests on a freshly deployed Open WebUI instance can all receive administrator privileges through a TOCTOU race condition in role assignment logic. The vulnerability affects deployments using LDAP or OAuth authentication on instances with no existing users. While the regular signup handler was explicitly patched for this race condition in earlier code ('Insert with default role first to avoid TOCTOU race'), the LDAP and OAuth authentication paths were never updated with the same fix. Vendor-released patch available in version 0.9.0 (April 2026). No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists per GitHub advisory GHSA-h3ww-q6xx-w7x3. CVSS 8.1 (High) reflects network attack vector but requires high attack complexity (precise timing of concurrent requests during narrow first-deployment window).
Path traversal vulnerabilities in go-billy (Go filesystem abstraction library) allow authenticated attackers with network access to escape intended directory boundaries and access arbitrary filesystem locations. The vulnerability affects all versions prior to v5.9.0 and v6.0.0-alpha.1, with the osfs.ChrootOS implementation particularly impacted due to insufficient path sanitization of dot-dot-slash sequences. Applications using go-billy for filesystem isolation are at risk of unauthorized file access. Vendor has released patches in v5.9.0 and v6.0.0-alpha.1, with ChrootOS deprecated in v5 and removed in v6 in favor of the new BoundOS implementation backed by Go's traversal-resistant os.Root primitive. No public exploit identified at time of analysis, but CVSS 8.1 reflects high confidentiality and integrity impact.
Arbitrary file deletion in the Motors - Car Dealership & Classified Listings Plugin for WordPress (versions up to and including 1.4.107) allows authenticated users with subscriber-level access or higher to delete arbitrary files on the server by supplying a malicious filesystem path through the become-dealer logo upload flow. The flaw was reported by Wordfence and carries a CVSS of 8.1, but EPSS remains very low (0.05%) and CISA SSVC reports no observed exploitation, indicating risk is theoretical rather than active. No public exploit identified at time of analysis.
Authorization bypass in Portainer 2.33.0 through 2.33.7 allows authenticated users to access Kubernetes cluster resources beyond their assigned permissions due to missing return statement in middleware error handling. Any user with a valid Portainer session can exploit this to read or modify Kubernetes secrets, pods, deployments, and other resources on endpoints they should not access. The flaw affects both Community Edition and Enterprise Edition. Fixed in version 2.33.8 and inherently absent from 2.39.0+. No public exploit code identified at time of analysis, though the single-line code fix and detailed GitHub advisory make reproduction straightforward for authenticated attackers.
Stored XSS in Open WebUI Banner component enables privilege escalation from compromised admin to Super Admin. A malicious administrator can inject markdown-based JavaScript payloads (e.g., `[text](javascript:...)`) that bypass DOMPurify sanitization due to incorrect sanitizer-parser execution order in Banner.svelte:103. When the Super Admin views the global banner and clicks the crafted link, their session token is exfiltrated to the attacker. Vendor-released patch available in v0.8.0 (2026-02-12) reversing sanitization order to `DOMPurify.sanitize(marked.parse(...))`. CVSS 8.1 (High) with Network vector, Low complexity, but requires High privileges (admin) and User interaction (click). No KEV listing or EPSS data available; publicly disclosed POC with detailed reproduction steps.
Authenticated attackers can exfiltrate and overwrite any user's private files in Open WebUI ≤0.9.4 by injecting victim file UUIDs into attacker-controlled folders or knowledge bases. Two distinct attack paths bypass authorization checks: folder-knowledge ingestion (Path 1) leaks file content via RAG responses, while knowledge-base attachment (Path 2) grants persistent read/write access through standard file endpoints. File UUIDs leak through normal usage (chat citations, shared chats, URLs, browser history). Vendor-released patch version 0.9.5 available. No public exploit identified at time of analysis, but proof-of-concept code published in GitHub advisory GHSA-r472-mw7m-967f demonstrates both attack vectors with working curl commands.
Horizontal privilege escalation in Open WebUI versions through 0.3.15 allows any authenticated user to enumerate, read, and delete all files uploaded by all other users via missing authorization checks in the files API endpoints. The vulnerability requires only low-privilege authenticated access to the web interface and has publicly available exploit code with a detailed proof-of-concept demonstrating how attackers can list all uploaded files regardless of owner, retrieve file contents, and delete arbitrary user files. Organizations running multi-user Open WebUI deployments face immediate risk of data breach and integrity loss, as file upload features in conversational AI platforms commonly handle sensitive documents and internal communications.
Privilege escalation and cross-site scripting in Live Helper Chat 4.84v allows authenticated REST API users to manipulate chats outside their authorized departments and inject malicious JavaScript into operator sessions. Attackers with low-privilege lhchat/use access can modify arbitrary chat object fields including chat hash, status, and operation_admin properties, enabling unauthorized data access through visitor/widget paths and code execution in operator contexts. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.
Privilege escalation in wger fitness manager allows gym trainers to impersonate gym managers via session-chain attack. An authenticated trainer exploits flawed session-flag logic in the trainer-login endpoint to bypass permission checks - first switching into a low-privilege user, then leveraging the inherited 'trainer.identity' session flag to hop into manager accounts. Publicly available proof-of-concept demonstrates complete takeover of gym administration with CVSS 8.1 (network-accessible, low complexity). No vendor patch confirmed at time of analysis; vulnerability actively disclosed by wger-project GitHub advisory GHSA-9qpr-vc49-hqg2. EPSS score not available, not in CISA KEV. Root cause is CWE-269 (improper privilege management) in core/views/user.py lines 169-178.
Arbitrary file read and deletion in Database Backup for WordPress (versions ≤2.5.2) allows unauthenticated attackers on WordPress Multisite installations to access sensitive files and potentially achieve site takeover. The vulnerability stems from improper authorization enforcement combined with user-controlled backup directory parameters, exploitable only in Multisite environments using the deprecated is_site_admin() function. CVSS 8.1 with high attack complexity (AC:H) reflects the Multisite-only prerequisite. No CISA KEV listing indicates limited observed exploitation despite the critical authorization bypass nature.
Broken object-level authorization in Open WebUI versions ≤0.8.12 allows any authenticated user to permanently delete files owned by other users when those files are referenced in any shared chat. The has_access_to_file() authorization function unconditionally grants access through its shared-chat branch, failing to validate both the requesting user's identity and the operation type (read vs. write). File UUIDs, which would otherwise prevent enumeration attacks, are exposed via the knowledge base API endpoint GET /api/v1/knowledge/{id}/files to any user with read access. This affects all default Docker deployments where chat sharing is enabled. Vendor-released patch available in v0.9.0 (commit 2e52ad8ff). No active exploitation confirmed (not in CISA KEV). CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H scores 8.0, though real-world impact extends beyond confidentiality to permanent data destruction with no recovery mechanism.
Cross-workspace evaluator takeover in FlowiseAI Flowise (npm package flowise) versions <= 3.1.1 allows an authenticated workspace member to overwrite an Evaluator entity's workspaceId via mass assignment, breaking tenant isolation. The Evaluator controller in packages/server/src/Interface.Evaluation.ts uses Object.assign(entity, body) without an allowlist, so a PUT request containing a chosen workspaceId reassigns ownership of the row to any other workspace whose UUID the attacker knows. No public exploit identified at time of analysis, but the issue is documented in detail in GHSA-wxrr-jp8m-qq7f and a vendor patch is available in release 3.1.2.
Cross-workspace data takeover in FlowiseAI Flowise versions 3.1.1 and earlier allows any authenticated workspace member to reassign Evaluation entities to arbitrary workspaces by exploiting a mass assignment flaw in the evaluations service. The vulnerability stems from unsanitized use of Object.assign() on user-controlled request bodies, enabling clients to overwrite protected fields including workspaceId and id. No public exploit identified at time of analysis, though the GHSA advisory and patch diff provide sufficient detail to reconstruct one trivially.
Cross-workspace data takeover in FlowiseAI Flowise versions 3.1.1 and earlier allows any authenticated workspace member to reassign DatasetRow records to arbitrary workspaces by injecting a workspaceId field into create or update request bodies. The DatasetRow service in packages/server/src/services/dataset/index.ts uses Object.assign without a field allowlist, accepting client-controlled ownership columns directly into the persisted entity. No public exploit identified at time of analysis, but the patched commit (49a2259) and source review make exploitation mechanically straightforward for anyone with edit permission.