Security: oobabooga/text-generation-webui
Security
No security policy detected
This project has not set up a SECURITY.md file yet.
Report a vulnerability-
Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path.GHSA-r2qq-p5wg-gf5g published
Apr 3, 2026 by oobaboogaHigh -
CWE-22 Path Traversal in load_preset() — .yaml file read without authenticationGHSA-w3cv-4447-5hf5 published
Apr 3, 2026 by oobaboogaModerate -
CWE-22 Path Traversal in load_grammar() — arbitrary file read without authenticationGHSA-hqg5-487v-5mc6 published
Apr 3, 2026 by oobaboogaHigh -
CWE-918 SSRF in superbooga/superboogav2 extensions — no URL validationGHSA-jvrj-w5hq-6cp2 published
Apr 3, 2026 by oobaboogaHigh -
CWE-22 Path Traversal in load_template() — .jinja/.yaml/.yml file read without authenticationGHSA-85fx-vw25-4c95 published
Apr 3, 2026 by oobaboogaModerate -
CWE-22 Path Traversal in load_prompt() — .txt file read without authenticationGHSA-mfgg-vvc6-vqq7 published
Apr 3, 2026 by oobaboogaModerate -
SSRF via OpenAI multimodal image_url fetch in text-generation-webuiGHSA-fpwc-4mvr-7jpr published
Mar 18, 2026 by oobaboogaHigh -
Arbitrary File Write/Delete via Path Traversal in Character NameGHSA-4p45-76cc-7p62 published
Mar 18, 2026 by oobaboogaCritical -
Remote Code Execution (RCE) through Path Traversal at "Session -> Save extention settings to user_data/settings.yaml".GHSA-jg96-p5p6-q3cv published
Mar 18, 2026 by oobaboogaCritical -
text-generation-webui allows arbitrary file read via symbolic link uploadGHSA-66rw-q8w5-c2hg published
Oct 13, 2025 by oobaboogaHigh
Learn more about advisories related to oobabooga/text-generation-webui in the GitHub Advisory Database