BETAmodules.com is in beta — open to partnerships & joint ventures.Build with us
modules.com
⌘K

open-webui

v0.1.125npm· JavaScript

![GitHub stars](https://img.shields.io/github/stars/open-webui/open-webui?style=social) ![GitHub forks](https://img.shields.io/github/forks/open-webui/open-webui?style=social) ![GitHub watchers](https://img.shields.io/github/watchers/open-webui/open-web

The verdict
Has 10 high-severity advisories. Verify a patched version exists before using. Check the OSV link for the fixed-in version.
Check the OSV link for the fixed-in version.
Live from the npm registry · derived rules, not AI
How it scores
MaintenanceAbandoned
PopularityUnknown
Security10 advisories
LicenseUnknown
DepsHeavy
Maintenance
Last published 2 years ago.
Popularity
Download count unavailable.
Security
10 known advisories (worst: high severity).
License
No license declared.
Dependencies
19 direct dependencies
Security advisories
Live from OSV.dev · cached 24h
  • HIGH
    Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability
    GHSA-5ccf-884p-4jjq Published 2025-03-20
  • HIGH
    Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF'
    GHSA-8wvc-869r-xfqf Fixed in 0.6.37Published 2025-12-04
  • HIGH
    Open WebUI Uncontrolled Resource Consumption vulnerability
    GHSA-chf7-q7m5-fq92 Published 2025-03-20
  • HIGH
    Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
    GHSA-cm35-v4vp-5xvx Fixed in 0.6.35Published 2025-11-07
  • HIGH
    Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order
    GHSA-cqp4-qqvg-3787 Fixed in 0.8.0Published 2026-05-14
  • HIGH
    Open WebUI Uncontrolled Resource Consumption vulnerability
    GHSA-g3mx-83mp-3rwc Published 2025-03-20
  • HIGH
    open-webui Vulnerable to Stored XSS via Model Description
    GHSA-gf5m-wcrh-7928 Fixed in 0.9.0Published 2026-05-08
  • HIGH
    Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
    GHSA-p4fx-23fq-jfg6 Fixed in 0.9.5Published 2026-05-14
  • HIGH
    Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
    GHSA-w7xj-8fx7-wfch Fixed in 0.6.35Published 2025-11-07
  • MEDIUM
    Open WebUI Has Stored Cross-Site Scripting in SVG Renderer
    GHSA-r29h-37fj-x2w6 Fixed in 0.6.31Published 2026-05-14
Recent releases
  • 0.1.1252 years ago