open-webui (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package open-webui, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (9)
CVE-2025-64495 — CVSS 8.7 (high): Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the…
CVE-2025-65959 — CVSS 8.7 (high): Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS…
CVE-2026-45665 — CVSS 8.1 (high): Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site…
CVE-2024-12537 — CVSS 7.5 (high): In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the…
CVE-2024-12534 — CVSS 7.5 (high): In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during…
CVE-2025-64496 — CVSS 7.3 (high): Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a…
CVE-2026-44721 — CVSS 7.3 (high): Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site…
CVE-2026-45395 — CVSS 7.2 (high): Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint…
CVE-2026-45346 — CVSS 5.4 (medium): Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site…