Live data from GitHub and PyPI, updated daily.
Data last fetched: 2026-06-30
10 active CVEs reported via OSV.dev
Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)
Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
Open WebUI has unauthorized deletion of knowledge files
Open WebUI has an LDAP Empty Password Authentication Bypass
Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image
Open WebUI Allows Arbitrary File Write via the `download_model` Endpoint
Open WebUI: Cross-origin postMessage confirmation bypass via action:submit
Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url
Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning
Other AI / ML projects in the Python ecosystem worth evaluating.
Get SLA-backed support, security patches, and direct access to senior engineers for Open WebUI — without relying on volunteer maintainers.