Vulnerabilities

CVE-2026-0766 - Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnera...

2026-01-23 0 views admin

CVE ID : CVE-2026-0766 Published : Jan. 23, 2026, 3:28 a.m. | 47 minutes ago Description : Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the load_tool_module_by_id function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28257. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE Details

CVE ID

CVE-2026-0766

Severity

HIGH

Published

Jan. 23, 2026

Affected Product: Python

Impact: Command Injection

🏷️ Tags

cvevulnerabilitysecuritycybersecuritycve-2026-0766highpython

CVE-2026-0766 - Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnera...

CVE Details

🏷️ Tags

More from Vulnerabilities

CVE-2026-0787 - ALGO 8180 IP Audio Alerter SAC Command Injection Remote Code Execution Vulnerability

CVE-2026-0796 - ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnera...

CVE-2026-0795 - ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnera...

CVE-2026-0794 - ALGO 8180 IP Audio Alerter SIP Use-After-Free Remote Code Execution Vulnerability

Trending

Tech: Go-legacy-winxp: Compile Golang 1.24 code for Windows XP

Tech: Data is the only moat

Tech: Pocket TTS: A high quality TTS that gives your CPU a voice

Tech: AWS European Sovereign Cloud

Tech: JuiceFS is a distributed POSIX file system built on top of Redis and S3