Skip to content

Add CVE rules for Jan and Open WebUI components#462

Open
NY1024 wants to merge 3 commits into
Tencent:mainfrom
NY1024:add-cve-rules-for-uncovered-components
Open

Add CVE rules for Jan and Open WebUI components#462
NY1024 wants to merge 3 commits into
Tencent:mainfrom
NY1024:add-cve-rules-for-uncovered-components

Conversation

@NY1024

@NY1024 NY1024 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary
Added CVE security rules for components in the project that had fingerprints but lacked corresponding vulnerability rules; includes both Chinese and English versions.

Changes
Jan (1 entry)

CVE-2024-36858: Arbitrary file upload leading to RCE (CVSS 9.8 CRITICAL)
Open WebUI (3 entries)

CVE-2025-46719: Stored XSS allowing session token theft (CVSS 5.4 MEDIUM)
CVE-2026-45346: SVG renderer Stored XSS (CVSS 5.4 MEDIUM)
CVE-2026-54014: Cache path traversal allowing arbitrary file reading (CVSS 4.3 MEDIUM)
Details
All CVEs have been verified against the official NVD database; sources are authentic and reliable.
In accordance with project conventions, each rule is provided in both Chinese (data/vuln/) and English (data/vuln_en/) versions.

References
https://nvd.nist.gov/vuln/detail/CVE-2024-36858
https://nvd.nist.gov/vuln/detail/CVE-2025-46719
https://nvd.nist.gov/vuln/detail/CVE-2026-45346
https://nvd.nist.gov/vuln/detail/CVE-2026-54014

NY1024 added 2 commits July 3, 2026 16:30
Add 4 NVD-verified CVE rules for components that had fingerprints
but no vulnerability rules:

- Jan CVE-2024-36858: Arbitrary file upload via /v1/app/writeFileSync
  (CVSS 9.8, CRITICAL) - NVD confirmed, GHSA-qfjh-mvq6-c5p8

- Open WebUI CVE-2025-46719: Stored XSS via HTML tags in chat messages
  (CVSS 5.4, MEDIUM) - NVD confirmed, GHSA-9f4f-jv96-8766

- Open WebUI CVE-2026-45346: Stored XSS in SVG renderer
  (CVSS 5.4, MEDIUM) - NVD confirmed, GHSA-r29h-37fj-x2w6

- Open WebUI CVE-2026-54014: Path traversal in cache file serving
  (CVSS 4.3, MEDIUM) - NVD confirmed, GHSA-j2c8-v969-8r5c

All CVEs verified via NVD API (services.nvd.nist.gov) with exact
CVE IDs, descriptions, CVSS scores, and reference URLs.
Add English translations (data/vuln_en/) for the 4 CVE rules
previously added in data/vuln/:

- Jan CVE-2024-36858 (en)
- Open WebUI CVE-2025-46719 (en)
- Open WebUI CVE-2026-45346 (en)
- Open WebUI CVE-2026-54014 (en)

Maintains the project's bilingual (Chinese/English) convention
for vulnerability rules.
@boy-hack boy-hack mentioned this pull request Jul 6, 2026
@boy-hack

boy-hack commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Code Review: Add CVE rules for Jan and Open WebUI components

✅ Strengths

  • Covers both CN and EN versions for all 4 CVEs — bilingual parity maintained
  • Open WebUI CVEs are well-documented with CVSS scores
  • Rule format is correct

⚠️ Critical: Duplicate with PR #457

data/vuln/jan/CVE-2024-36858.yaml and data/vuln_en/jan/CVE-2024-36858.yaml are also being added by PR #457 with slightly different content.

Whichever merges second will cause a merge conflict. Please coordinate with @NY1024 (author of PR #457) to avoid the duplicate:

Review Notes (Open WebUI rules)

  • CVE-2025-46719 (Stored XSS, CVSS 5.4 MEDIUM): ✅ Correct severity
  • CVE-2026-45346 (SVG renderer Stored XSS, CVSS 5.4 MEDIUM): ✅ Consistent
  • CVE-2026-54014 (Cache path traversal): Confirm version range — ensure the rule: version ceiling matches the upstream fix.

🟡 Verdict

LGTM for Open WebUI rules. Resolve the Jan duplicate before merge.

Per code review feedback, removing Jan CVE rules from this PR.
PR Tencent#457 (add-cve-rules-for-jan-localai) will handle Jan CVEs instead.
This avoids merge conflicts between the two PRs.
@NY1024

NY1024 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Thanks for the review! All feedback has been addressed:

  1. Jan duplicate issue: Went with Option A — removed Jan files from this PR, letting PR feat: add CVE rules #457 handle them. Also fixed the version range in PR feat: add CVE rules #457 from version <= "0.4.12" to version > "0" && version < "0.5.2" (the original range would miss affected versions 0.4.13–0.5.1), and added the GHSA advisory reference.

  2. CVE-2026-54014 version range: Confirmed version < "0.9.6" matches the upstream fix version. The range is correct.

  3. Open WebUI rules: No changes needed, as confirmed.

Please re-review when you get a chance. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants