Add CVE rules for Jan and Open WebUI components#462
Conversation
Add 4 NVD-verified CVE rules for components that had fingerprints but no vulnerability rules: - Jan CVE-2024-36858: Arbitrary file upload via /v1/app/writeFileSync (CVSS 9.8, CRITICAL) - NVD confirmed, GHSA-qfjh-mvq6-c5p8 - Open WebUI CVE-2025-46719: Stored XSS via HTML tags in chat messages (CVSS 5.4, MEDIUM) - NVD confirmed, GHSA-9f4f-jv96-8766 - Open WebUI CVE-2026-45346: Stored XSS in SVG renderer (CVSS 5.4, MEDIUM) - NVD confirmed, GHSA-r29h-37fj-x2w6 - Open WebUI CVE-2026-54014: Path traversal in cache file serving (CVSS 4.3, MEDIUM) - NVD confirmed, GHSA-j2c8-v969-8r5c All CVEs verified via NVD API (services.nvd.nist.gov) with exact CVE IDs, descriptions, CVSS scores, and reference URLs.
Add English translations (data/vuln_en/) for the 4 CVE rules previously added in data/vuln/: - Jan CVE-2024-36858 (en) - Open WebUI CVE-2025-46719 (en) - Open WebUI CVE-2026-45346 (en) - Open WebUI CVE-2026-54014 (en) Maintains the project's bilingual (Chinese/English) convention for vulnerability rules.
Code Review: Add CVE rules for Jan and Open WebUI components✅ Strengths
|
Per code review feedback, removing Jan CVE rules from this PR. PR Tencent#457 (add-cve-rules-for-jan-localai) will handle Jan CVEs instead. This avoids merge conflicts between the two PRs.
|
Thanks for the review! All feedback has been addressed:
Please re-review when you get a chance. Thanks! |
Summary
Added CVE security rules for components in the project that had fingerprints but lacked corresponding vulnerability rules; includes both Chinese and English versions.
Changes
Jan (1 entry)
CVE-2024-36858: Arbitrary file upload leading to RCE (CVSS 9.8 CRITICAL)
Open WebUI (3 entries)
CVE-2025-46719: Stored XSS allowing session token theft (CVSS 5.4 MEDIUM)
CVE-2026-45346: SVG renderer Stored XSS (CVSS 5.4 MEDIUM)
CVE-2026-54014: Cache path traversal allowing arbitrary file reading (CVSS 4.3 MEDIUM)
Details
All CVEs have been verified against the official NVD database; sources are authentic and reliable.
In accordance with project conventions, each rule is provided in both Chinese (
data/vuln/) and English (data/vuln_en/) versions.References
https://nvd.nist.gov/vuln/detail/CVE-2024-36858
https://nvd.nist.gov/vuln/detail/CVE-2025-46719
https://nvd.nist.gov/vuln/detail/CVE-2026-45346
https://nvd.nist.gov/vuln/detail/CVE-2026-54014