CVE-2026-45315

Score / Severity

8.7

High

Categories

Cross-site ScriptingFile Inclusion

OWSAP

A03-InjectionA04-Insecure Design

Vector

Network

Published

2026-05-15
22h16 +00:00

Modified

2026-05-15
22h16 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

Custom alerts

Activate your personalized alerts!

To activate your alerts, you just need to be logged in to your free account. If you’re not logged in yet, choose one of the options below.

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

CVE Descriptions

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHE_DIR/audio/transcriptions/.. The /cache/{path} route serves these files via FileResponse, which sets Content-Type from the on-disk extension and emits no Content-Disposition. A verified user with the default-on chat.stt permission can upload a polyglot WAV+HTML file named pwn.html and trick any other user into opening the resulting URL — the response comes back as text/html and any embedded

CVE-2026-45315 : Detail

CVE-2026-45315

CVE Descriptions