CVSS - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 4.3	CVE-2026-54014	Open WebUI: Sibling-Prefix Path Traversal via /cache/{path} in open-webui/open-webui_CVE-2026-54014 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, a path traversal vulnerability e...	open-webui	open-webui < 0.9.6	Jun 23, 2026	CVE
HIGH 7.6	CVE-2026-54013	Open WebUI: Stored XSS to Account Takeover via Model Profile Images in Open WebUI_CVE-2026-54013 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI patched SVG XSS in us...	open-webui	open-webui < 0.9.6	Jun 23, 2026	CVE
HIGH 7.1	CVE-2026-54012	Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion_CVE-2026-54012 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can c...	open-webui	open-webui < 0.9.6	Jun 23, 2026	CVE
HIGH 8.7	CVE-2026-54011	Open WebUI: Stored XSS in Mermaid Markdown Preview_CVE-2026-54011 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6,Open WebUI renders Mermaid blocks...	open-webui	open-webui < 0.9.6	Jun 23, 2026	CVE
HIGH 8.3	CVE-2026-54010	Open WebUI: Forged chat-file link allows cross-user file read and deletion_CVE-2026-54010 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated...	open-webui	open-webui < 0.9.6	Jun 23, 2026	CVE
MEDIUM 6.5	CVE-2026-54009	Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field_CVE-2026-54009 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/chat/completions accep...	open-webui	open-webui < 0.9.6	Jun 23, 2026	CVE
HIGH 8.5	CVE-2026-54008	Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url`_CVE-2026-54008 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, backend/open_webui/utils/oauth.p...	open-webui	open-webui < 0.9.6	Jun 23, 2026	CVE
HIGH 7.1	CVE-2026-54007	Open WebUI: Cross-origin postMessage confirmation bypass via action:submit_CVE-2026-54007 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the chat message listener allows...	open-webui	open-webui < 0.9.6	Jun 23, 2026	CVE
MEDIUM 4.3	CVE-2026-54006	Open WebUI: Calendar event re-parenting allows writing events into another user’s calendar_CVE-2026-54006 Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, POST /api/v1/calendars/events/{e...	open-webui	open-webui < 0.9.6	Jun 23, 2026	CVE
MEDIUM 5.3	CVE-2026-50221	CVE-2026-50221_CVE-2026-50221 In OpenStack Swift before 2.37.2, proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-De...	OpenStack	Swift 2.0.0	Jun 23, 2026	CVE