pkg:npm/open-webui
9 total CVEsHIGH8
✅ Check your installed version
All known vulnerabilities
HIGH8.7CVE-2025-65959Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF' from 0, < 0.6.37
HIGH8.7CVE-2025-64495Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE from 0, < 0.6.35
HIGH8.1CVE-2026-45665Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order from 0, < 0.8.0
HIGH7.5CVE-2024-12537Open WebUI Uncontrolled Resource Consumption vulnerability from 0, <= 0.3.32
HIGH7.5Open WebUI Uncontrolled Resource Consumption vulnerability
from 0, <= 0.3.32
HIGH7.3open-webui Vulnerable to Stored XSS via Model Description
from 0, < 0.9.0
HIGH7.3Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
from 0, < 0.6.35
HIGH7.2Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
from 0, < 0.9.5
—Open WebUI Has Stored Cross-Site Scripting in SVG Renderer
from 0, < 0.6.31