Stored Cross-Site Scripting Vulnerability in Open-WebUI by Open-WebUI
CVE-2024-7990

8.4HIGH

Key Information:

Vendor: Open-webui
Status: Open-webui/open-webui
Vendor: CVE Published:; 20 March 2025

Summary

A stored cross-site scripting (XSS) vulnerability exists in Open-WebUI version 0.3.8, specifically within the '/api/v1/models/add' endpoint. The model description field is not properly sanitized prior to being displayed in chat, allowing attackers to inject malicious scripts. This flaw could be exploited by attackers to execute harmful scripts on the browsers of users—including administrators—potentially enabling them to carry out arbitrary code execution.

Affected Version(s)

open-webui/open-webui <= unspecified

References

https://huntr.com/bounties/2256e336-0f67-449e-a82d-7fc570...

CVSS V3.0

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Aug 19, 2024