VYPR

apk package

wolfi/open-webui

pkg:apk/wolfi/open-webui

Vulnerabilities (105)

  • CVE-2026-34514MedApr 1, 2026
    affected < 0.8.12-r3fixed 0.8.12-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

  • CVE-2026-34513HigApr 1, 2026
    affected < 0.8.12-r3fixed 0.8.12-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.

  • CVE-2026-22815HigApr 1, 2026
    affected < 0.8.12-r3fixed 0.8.12-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.

  • CVE-2026-34452MedMar 31, 2026
    affected < 0.8.12-r3fixed 0.8.12-r3

    The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory director

  • CVE-2026-34450MedMar 31, 2026
    affected < 0.8.12-r3fixed 0.8.12-r3

    The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the local filesystem memory tool in the Anthropic Python SDK created memory files with mode 0o666, leaving them world-readable on systems with a sta

  • CVE-2026-33699HigMar 27, 2026
    affected < 0.8.12-r2fixed 0.8.12-r2

    pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade

  • CVE-2026-25645Mar 25, 2026
    affected < 0.9.2-r0fixed 0.9.2-r0

    Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid

  • CVE-2026-4539LowMar 22, 2026
    affected < 0.8.12-r2fixed 0.8.12-r2

    A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit

  • CVE-2026-33231Mar 20, 2026
    affected < 0.8.12-r2fixed 0.8.12-r2

    NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet B

  • CVE-2026-33230Mar 20, 2026
    affected < 0.8.12-r2fixed 0.8.12-r2

    NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `looku

  • CVE-2026-32597HigMar 13, 2026
    affected < 0.8.10-r1fixed 0.8.10-r1

    PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token i

  • CVE-2026-32274Mar 12, 2026
    affected < 0.8.10-r1fixed 0.8.10-r1

    Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker wh

  • CVE-2026-31826Mar 10, 2026
    affected < 0.8.10-r1fixed 0.8.10-r1

    pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length insid

  • CVE-2026-28351Feb 27, 2026
    affected < 0.8.6-r0fixed 0.8.6-r0

    pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.

  • CVE-2026-27628Feb 25, 2026
    affected < 0.8.5-r0fixed 0.8.5-r0

    pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually.

  • CVE-2026-27205Feb 21, 2026
    affected < 0.8.3-r1fixed 0.8.3-r1

    Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs c

  • CVE-2026-27199Feb 21, 2026
    affected < 0.8.3-r1fixed 0.8.3-r1

    Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account f

  • CVE-2026-27026Feb 20, 2026
    affected < 0.8.3-r1fixed 0.8.3-r1

    pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used. This vulnerability is fixed

  • CVE-2026-27025Feb 20, 2026
    affected < 0.8.3-r1fixed 0.8.3-r1

    pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for exampl

  • CVE-2026-27024Feb 20, 2026
    affected < 0.8.3-r1fixed 0.8.3-r1

    pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines. This vulnerability is fixed in

Page 3 of 6