We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution.
Reserved 2024-07-23 | Published 2024-10-09 | Updated 2024-10-10 | Assigner @huntr_aiCWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
huntr.com/bounties/8508db68-9c99-4b1c-828c-e1bfcacfb847
Support options