CVE-2024-8017

CRITICAL

open-webui/open-webui <= 0.3.8 - Stored Cross-Site Scripting in Tooltip HTML Construction

Title source: llm
STIX 2.1

Description

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. This vulnerability allows attackers to perform operations with the victim's privileges, such as stealing chat history, deleting chats, and escalating their own account to an admin if the victim is an admin.

References (1)

Core 1
Core References

Scores

CVSS v3 9.0
EPSS 0.0055
EPSS Percentile 42.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
openwebui/open_webui < 0.3.8
Published Mar 20, 2025
Tracked Since Feb 18, 2026