open-webui

Direct Vulnerabilities

Known vulnerabilities in the open-webui package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free
VulnerabilityVulnerable Version
  • L
Information Exposure

<0.9.6-r5
  • L
GHSA-m2v9-299j-rv96

<0.9.6-r5
  • L
GHSA-4m7w-qmgq-4wj5

<0.9.6-r5
  • L
GHSA-g3cq-j2xw-wf74

<0.9.6-r5
  • L
GHSA-9x8q-7h8h-wcw9

<0.9.6-r5
  • L
Loop with Unreachable Exit Condition ('Infinite Loop')

<0.9.6-r5
  • L
GHSA-2fqr-mr3j-6wp8

<0.9.6-r5
  • M
Out-of-Bounds

<0.9.6-r5
  • L
Improper Handling of Highly Compressed Data (Data Amplification)

<0.9.6-r5
  • L
Loop with Unreachable Exit Condition ('Infinite Loop')

<0.9.6-r5
  • L
Improper Initialization

<0.9.6-r5
  • L
GHSA-gr75-jv2w-4656

<0.9.6-r5
  • L
GHSA-63hw-fmq6-xxg2

<0.9.6-r5
  • L
GHSA-jm82-fx9c-mx94

<0.9.6-r5
  • L
Improper Resource Shutdown or Release

<0.9.6-r5
  • L
GHSA-52x6-gq3r-vpf4

<0.9.6-r5
  • L
Allocation of Resources Without Limits or Throttling

<0.9.6-r5
  • L
Allocation of Resources Without Limits or Throttling

<0.9.6-r5
  • L
GHSA-4xgf-cpjx-pc3j

<0.9.6-r5
  • L
Allocation of Resources Without Limits or Throttling

<0.9.6-r5
  • L
Improper Validation of Certificate with Host Mismatch

<0.9.6-r5
  • L
GHSA-rrmf-rvhw-rf47

<0.9.6-r5
  • L
GHSA-4fvr-rgm6-gqmc

<0.9.6-r5
  • L
GHSA-f4xh-w4cj-qxq8

<0.9.6-r5
  • L
GHSA-xcgm-r5h9-7989

<0.9.6-r5
  • L
GHSA-hpj7-wq8m-9hgp

<0.9.6-r5
  • M
Resource Exhaustion

<0.9.6-r4
  • L
Use After Free

<0.9.6-r4
  • L
GHSA-cj93-chg6-vgv8

<0.9.6-r4
  • L
GHSA-248m-82v9-q6g6

<0.9.6-r4
  • L
Excessive Iteration

<0.9.6-r4
  • L
GHSA-rgxp-2hwp-jwgg

<0.9.6-r4
  • H
Origin Validation Error

<0.9.6-r3
  • L
GHSA-hg6j-4rv6-33pg

<0.9.6-r3
  • H
Deserialization of Untrusted Data

<0.9.6-r3
  • L
GHSA-jg22-mg44-37j8

<0.9.6-r3
  • H
Improper Handling of Highly Compressed Data (Data Amplification)

<0.9.6-r1
  • L
GHSA-3644-q5cj-c5c7

<0.9.6-r1
  • L
Deserialization of Untrusted Data

<0.9.6-r1
  • L
CVE-2026-46338

<0.9.6-r1
  • M
Inefficient Regular Expression Complexity

<0.9.6-r1
  • L
GHSA-qccp-gfcp-xxvc

<0.9.6-r1
  • L
GHSA-65pc-fj4g-8rjx

<0.9.6-r1
  • L
GHSA-62q4-447f-wv8h

<0.9.6-r1
  • L
GHSA-mf9v-mfxr-j63j

<0.9.6-r1
  • M
Information Exposure

<0.9.6-r1
  • M
Excessive Iteration

<0.9.2-r0
  • M
Excessive Iteration

<0.9.2-r0
  • M
Uncontrolled Memory Allocation

<0.9.2-r0
  • C
Arbitrary Argument Injection

<0.9.2-r0
  • M
Uncontrolled Memory Allocation

<0.9.2-r0
  • L
Information Exposure

<0.9.2-r0
  • L
Server-Side Request Forgery (SSRF)

<0.9.2-r0
  • H
Directory Traversal

<0.9.2-r0
  • L
OS Command Injection

<0.9.2-r0
  • L
Cross-site Request Forgery (CSRF)

<0.9.2-r0
  • C
XML Injection

<0.9.2-r0
  • L
GHSA-6w46-j5rx-g56g

<0.9.2-r0
  • L
GHSA-fv5p-p927-qmxr

<0.9.2-r0
  • M
Insecure Temporary File

<0.9.2-r0
  • L
GHSA-jj6c-8h6c-hppx

<0.9.2-r0
  • L
GHSA-3crg-w4f6-42mx

<0.9.2-r0
  • L
GHSA-4pxv-j86v-mhcw

<0.9.2-r0
  • L
GHSA-38jv-5279-wg99

<0.9.2-r0
  • L
GHSA-jj8c-mmj3-mmgv

<0.9.2-r0
  • M
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

<0.9.2-r0
  • L
GHSA-rr7j-v2q5-chgv

<0.9.2-r0
  • L
GHSA-768j-98cg-p3fv

<0.9.2-r0
  • L
GHSA-rpm5-65cw-6hj4

<0.9.2-r0
  • H
Improper Handling of Highly Compressed Data (Data Amplification)

<0.9.2-r0
  • L
GHSA-2xpw-w6gg-jr37

<0.9.2-r0
  • L
GHSA-x284-j5p8-9c5p

<0.9.2-r0
  • L
GHSA-gc5v-m9x4-r6x2

<0.9.2-r0
  • L
Creation of Temporary File in Directory with Incorrect Permissions

<0.9.2-r0
  • L
GHSA-x2qx-6953-8485

<0.9.2-r0
  • H
Allocation of Resources Without Limits or Throttling

<0.9.2-r0
  • L
GHSA-7gw9-cf7v-778f

<0.9.2-r0
  • L
GHSA-gm62-xv2j-4w53

<0.9.2-r0
  • L
GHSA-v92g-xgxw-vvmm

<0.9.2-r0
  • H
Improper Handling of Highly Compressed Data (Data Amplification)

<0.9.2-r0
  • L
GHSA-vfmq-68hx-4jfw

<0.8.12-r3
  • L
XML External Entity (XXE) Injection

<0.8.12-r3
  • M
Link Following

<0.8.12-r3
  • M
HTTP Response Splitting

<0.8.12-r3
  • L
Allocation of Resources Without Limits or Throttling

<0.8.12-r3
  • L
GHSA-926x-3r5x-gfhw

<0.8.12-r3
  • L
GHSA-q5f5-3gjm-7mfm

<0.8.12-r3
  • M
Incorrect Default Permissions

<0.8.12-r3
  • L
Improper Neutralization of Special Elements Used in a Template Engine

<0.8.12-r3
  • L
GHSA-3wq7-rqq7-wx6j

<0.8.12-r3
  • L
GHSA-w2fm-2cpv-w7v5

<0.8.12-r3
  • M
Allocation of Resources Without Limits or Throttling

<0.8.12-r3
  • L
GHSA-63hf-3vf5-4wqf

<0.8.12-r3
  • L
Resource Exhaustion

<0.8.12-r3
  • M
HTTP Response Splitting

<0.8.12-r3
  • C
Out-of-Bounds

<0.8.12-r3
  • L
GHSA-2vrm-gr82-f7m5

<0.8.12-r3
  • H
Directory Traversal

<0.8.12-r3
  • M
Information Exposure

<0.8.12-r3
  • L
GHSA-c427-h43c-vf67

<0.8.12-r3
  • L
HTTP Response Splitting

<0.8.12-r3
  • L
GHSA-w828-4qhx-vxx3

<0.8.12-r3
  • L
GHSA-m5qp-6w8w-w647

<0.8.12-r3
  • H
Allocation of Resources Without Limits or Throttling

<0.8.12-r3
  • M
Improper Input Validation

<0.8.12-r3
  • L
GHSA-p998-jp59-783m

<0.8.12-r3
  • L
GHSA-p423-j2cm-9vmq

<0.8.12-r3
  • L
GHSA-hcc4-c3v8-rx92

<0.8.12-r3
  • L
GHSA-966j-vmvw-g2g9

<0.8.12-r3
  • L
GHSA-mwh4-6h8g-pg8w

<0.8.12-r3
  • L
Missing Authentication for Critical Function

<0.8.12-r2
  • M
Resource Exhaustion

<0.8.12-r2
  • L
GHSA-jm6w-m3j8-898g

<0.8.12-r2
  • L
Resource Exhaustion

<0.8.12-r2
  • H
Loop with Unreachable Exit Condition ('Infinite Loop')

<0.8.12-r2
  • L
GHSA-gfwx-w7gr-fvh7

<0.8.12-r2
  • L
GHSA-5239-wwwm-4pmq

<0.8.12-r2
  • L
Cross-site Scripting (XSS)

<0.8.12-r2
  • L
GHSA-87mj-5ggw-8qc3

<0.8.12-r2
  • L
GHSA-rf74-v2fm-23pw

<0.8.12-r2
  • L
GHSA-qpxp-75px-xjcp

<0.8.12-r2
  • L
GHSA-3936-cmfr-pm3m

<0.8.10-r1
  • L
GHSA-hqmh-ppp3-xvm7

<0.8.10-r1
  • L
Insufficient Verification of Data Authenticity

<0.8.10-r1
  • H
Directory Traversal

<0.8.10-r1
  • M
Allocation of Resources Without Limits or Throttling

<0.8.10-r1
  • L
GHSA-752w-5fwx-jx9f

<0.8.10-r1
  • L
Arbitrary Code Injection

<0.8.9-r0
  • L
GHSA-7p94-766c-hgjp

<0.8.9-r0
  • M
Allocation of Resources Without Limits or Throttling

<0.8.3-r1
  • L
GHSA-68rp-wp8r-4726

<0.8.3-r1
  • H
Directory Traversal

<0.8.3-r0
  • L
GHSA-w853-jp5j-5j7f

<0.6.41-r1
  • H
CVE-2026-0994

<0.8.3-r0
  • L
Improper Neutralization of Special Elements Used in a Template Engine

<0.6.37-r0
  • L
GHSA-vr63-x8vc-m265

<0.6.34-r1
  • L
GHSA-pc6w-59fv-rh23

<0.6.27-r0
  • L
GHSA-6qv9-48xg-fc7f

<0.6.37-r0
  • L
Asymmetric Resource Consumption (Amplification)

<0.6.41-r1
  • L
GHSA-2q4j-m29v-hq73

<0.8.3-r1
  • M
Improper Handling of Windows Device Names

<0.8.3-r1
  • L
Information Exposure

<0.6.27-r0
  • L
GHSA-jfx9-29x2-rv3j

<0.6.34-r1
  • L
GHSA-58pv-8j8x-9vj2

<0.7.2-r1
  • L
GHSA-9mvc-8737-8j8h

<0.8.3-r1
  • M
CVE-2026-26007

<0.8.3-r0
  • M
Allocation of Resources Without Limits or Throttling

<0.6.43-r1
  • L
GHSA-428g-f7cq-pgp5

<0.6.41-r1
  • L
GHSA-jm66-cg57-jjv5

<0.7.2-r1
  • L
XML External Entity (XXE) Injection

<0.6.33-r0
  • L
GHSA-6mq8-rvhq-8wgg

<0.6.43-r1
  • L
GHSA-m42m-m8cr-8m58

<0.6.33-r0
  • L
GHSA-69f9-5gxw-wvc2

<0.6.43-r1
  • H
Allocation of Resources Without Limits or Throttling

<0.6.43-r1
  • L
GHSA-7hfw-26vp-jp8m

<0.6.22-r1
  • L
GHSA-2g6r-c272-w58r

<0.8.3-r0
  • L
GHSA-996q-pr4m-cvgq

<0.8.3-r1
  • M
Link Following

<0.6.41-r1
  • H
Loop with Unreachable Exit Condition ('Infinite Loop')

<0.8.5-r0
  • L
GHSA-29vq-49wr-vm6x

<0.8.3-r1
  • L
GHSA-2rw7-x74f-jg35

<0.8.5-r0
  • L
Improper Handling of Highly Compressed Data (Data Amplification)

<0.6.43-r1
  • L
Allocation of Resources Without Limits or Throttling

<0.7.2-r1
  • L
Allocation of Resources Without Limits or Throttling

<0.6.18-r1
  • H
Improper Handling of Highly Compressed Data (Data Amplification)

<0.6.34-r1
  • H
Excessive Iteration

<0.6.34-r1
  • L
GHSA-2c2j-9gv5-cj73

<0.6.18-r1
  • H
Resource Exhaustion

<0.6.22-r1
  • M
Information Exposure Through Caching

<0.8.3-r1
  • L
GHSA-g84x-mcqj-x9qq

<0.6.43-r1
  • L
GHSA-63vm-454h-vhhq

<0.7.2-r1
  • M
Directory Traversal

<0.6.43-r1
  • L
Server-Side Request Forgery (SSRF)

<0.8.3-r0
  • M
Directory Traversal

<0.8.3-r0
  • H
Loop with Unreachable Exit Condition ('Infinite Loop')

<0.6.43-r1
  • M
Resource Exhaustion

<0.8.6-r0
  • M
Logging of Excessive Data

<0.6.43-r1
  • L
GHSA-9ggr-2464-2j32

<0.6.30-r1
  • L
Insufficient Verification of Data Authenticity

<0.6.30-r1
  • L
Algorithmic Complexity

<0.6.34-r2
  • L
GHSA-7f5h-v6xp-fcq8

<0.6.34-r2
  • L
GHSA-fh55-r93g-j68g

<0.6.43-r1
  • L
GHSA-f2v5-7jq9-h8cg

<0.8.6-r0
  • M
Loop with Unreachable Exit Condition ('Infinite Loop')

<0.8.3-r1
  • L
Directory Traversal

<0.7.2-r1
  • M
Loop with Unreachable Exit Condition ('Infinite Loop')

<0.8.3-r1
  • M
HTTP Request Smuggling

<0.6.43-r1
  • L
GHSA-6jhg-hg63-jvvf

<0.6.43-r1
  • L
GHSA-8rrh-rw8j-w5fx

<0.8.3-r0
  • L
GHSA-jj3x-wxrx-4x23

<0.6.43-r1
  • L
GHSA-54jq-c3m8-4m76

<0.6.43-r1
  • M
Excessive Iteration

<0.8.3-r1
  • H
Insecure Default Initialization of Resource

<0.6.40-r1
  • L
GHSA-mqqc-3gqh-h2x8

<0.6.43-r1
  • L
Deserialization of Untrusted Data

<0.6.33-r1
  • L
GHSA-wgvp-vg3v-2xq3

<0.8.3-r1
  • L
GHSA-wp53-j4wj-2cfg

<0.8.3-r0
  • M
HTTP Request Smuggling

<0.6.43-r1
  • L
GHSA-r6ph-v2qm-q3c2

<0.8.3-r0
  • L
GHSA-7gcm-g887-7qv7

<0.8.3-r0
  • L
GHSA-g8c6-8fjj-2r4m

<0.6.33-r1
  • H
Deserialization of Untrusted Data

<0.7.2-r1
  • L
GHSA-9h52-p55h-vw2f

<0.6.40-r1
  • L
Resource Exhaustion

<0.6.40-r0
  • L
GHSA-m449-cwjh-6pw7

<0.6.40-r0