Open WebUI stored cross-site scripting (XSS) vulnerability

GHSA-gj27-76gq-5v3p · CVE-2024-7990

Published Mar 20, 2025 · Modified Mar 21, 2025

Description

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-7990
PACKAGE https://github.com/open-webui/open-webui
WEB https://huntr.com/bounties/2256e336-0f67-449e-a82d-7fc57081a21c

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes