Vulnerabilities > Openwebui > Open Webui
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-03-20 | CVE-2024-12537 | Allocation of Resources Without Limits or Throttling vulnerability in Openwebui Open Webui 0.3.32 In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. | 7.5 |
| 2025-03-20 | CVE-2024-7053 | Unspecified vulnerability in Openwebui Open Webui 0.3.8 A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. | 9.0 |
| 2025-03-20 | CVE-2024-7806 | Unspecified vulnerability in Openwebui Open Webui A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). | 8.8 |
| 2025-03-20 | CVE-2024-8053 | Missing Authentication for Critical Function vulnerability in Openwebui Open Webui 0.3.10 In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. | 8.2 |
| 2024-10-10 | CVE-2024-7049 | Unspecified vulnerability in Openwebui Open Webui 0.3.8 In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. | 5.4 |
| 2024-10-09 | CVE-2024-7038 | Information Exposure Through an Error Message vulnerability in Openwebui Open Webui An information disclosure vulnerability exists in open-webui version 0.3.8. | 2.7 |
| 2024-08-07 | CVE-2024-6706 | Cross-site Scripting vulnerability in Openwebui Open Webui 0.1.105 Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page. | 6.1 |
| 2024-08-07 | CVE-2024-6707 | Path Traversal vulnerability in Openwebui Open Webui 0.1.105 Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability. | 8.8 |