CVE-2024-7990
HIGHopen-webui 0.3.8 - Stored Cross-Site Scripting via Model Description Field
Title source: llmDescription
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/2256e336-0f67-449e-a82d-7fc57081a21c
Scores
CVSS v3
8.4
EPSS
0.0029
EPSS Percentile
52.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (2)
openwebui/open_webui
0.3.8
pypi/open-webui
0PyPI
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026