CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
In Open WebUI prior to version 0.8.11, there is a vulnerability that allows an attacker to bypass authorization checks when joining a document room. By manipulating the document identifier, the attacker can access the victim's private note contents.
Open WebUI before version 0.9.6 has a vulnerability in Ollama proxy routes where the url_idx parameter is used as a raw index into the OLLAMA_BASE_URLS list. An authenticated user can force a request to any Ollama backend, including internal, privileged, or admin-disabled ones, without proper authorization.
Open WebUI is a self-hosted artificial intelligence platform that prior to version 0.9.6 added collection-level ACL checks. However, in Milvus multitenancy mode, these checks can be bypassed, leading to potential unauthorized access to resources.
Open WebUI is a self-hosted artificial intelligence platform that prior to version 0.9.6 had a Broken Object Level Authorization (BOLA) vulnerability in the search_knowledge_files tool. This allows an authenticated user to access metadata from private or restricted knowledge base files without proper permissions.
Open WebUI prior to version 0.9.6 has a vulnerability that allows authenticated users to access the private prompt history of other users. The issues occur in the version history endpoints that do not verify if the history entry belongs to the correct prompt.
In Open WebUI prior to version 0.9.6, a path traversal vulnerability exists in the cache file serving endpoint that allows authenticated users to read files from sibling directories outside the intended cache directory.
In Open WebUI prior to version 0.9.6, a vulnerability allows an authenticated user to access other users' files by manipulating the image_url.url parameter in the POST /api/chat/completions request. If this value does not start with http://, https://, or data:image/, it is interpreted as a file id, allowing access to the file content without permission checks.
Open WebUI before version 0.9.6 has a vulnerability where the chat message listener accepts `input:prompt` and `action:submit` messages from non-same-origin sources. An external site can set prompt text and trigger `submitPrompt()` in an authenticated victim session, leading to unauthorized POST requests to API endpoints.
In Open WebUI prior to version 0.9.6, there is a vulnerability that allows regular user-role accounts to move events between other users' calendars without proper permissions. This vulnerability stems from the lack of validation of the destination calendar_id in the event update request.
Caddy before version 2.11.4 has a vulnerability in the stripHTML template function that cannot reliably remove all HTML tags from input strings. Malformed HTML, such as <<>img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output.
In OpenStack Swift before version 2.37.2, the proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwarding them to object-servers. An authenticated user with write access can inject these headers to redirect container update requests to an attacker-controlled server, enabling server-side request forgery (SSRF).
In Deno prior to 2.8.1, the process.loadEnvFile() function does not honor environment permission restrictions (--deny-env). It allows writing variables from a .env file into the process even when environment access is denied.
In Deno prior to 2.8.1, when a WebSocket connection was opened, only the destination hostname was checked against --deny-net rules, but the IP addresses that hostname resolved to were not re-checked. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely.
In Deno prior to version 2.8.1, the fetch() function checked the destination hostname against --deny-net rules but did not re-check the resolved IP addresses. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing network restrictions entirely.
In Deno prior to version 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then did not re-check after resolution. A caller could pass a numeric alias of an IP address (e.g., the decimal integer 2130706433 or the hex form 0x7f000001, both resolving to 127.0.0.1) and bypass the restriction using the { host, port } options in node:net.connect or node:http.request.
In BYONM mode (nodeModulesDir: "manual") in Deno before version 2.7.12, the module resolver did not validate that a package's resolved entrypoint stayed within its node_modules/<pkg>/ directory. A malicious package.json whose main field contained .. segments was able to resolve to an arbitrary path on disk, and the resolver then read that file without consulting the --allow-read allowlist. This let a require("evil-pkg") call return the contents of a file that a direct Deno.readTextFileSync(...) call would have been blocked from reading.
A vulnerability in Caddy server versions 2.4.0 through 2.11.3 arises from a mismatch between the authorization layer and the /config path traversal layer. The authorization layer uses string prefix matching, while the traversal layer parses array indices numerically using strconv.Atoi(), leading to incorrect resolution of configuration objects. The issue is fixed in version 2.11.3.
A vulnerability in the configparser module allows injection of unexpected keys and values into configuration files when writing multi-line text values containing carriage return characters ( ). An attacker can control the written value, leading to file content manipulation.
A vulnerability in MuPDF before version 1.27.0-rc1 allows a remote attacker to cause a denial of service (DoS) by supplying a crafted EPUB file with deeply nested HTML elements and inline CSS styles. The issue stems from uncontrolled recursion in the value_from_inheritable_property() function in css-apply.c, which traverses the CSS property inheritance chain without a depth limit, exhausting the process stack and crashing any application using MuPDF for EPUB rendering.
A vulnerability in Adobe Acrobat and Reader allows out-of-bounds memory read, potentially leading to disclosure of sensitive data. An attacker can exploit this flaw to access confidential information, but it requires the victim to open a specially crafted file.

