CVE-2024-7990: Open WebUI stored cross-site scripting (XSS) vulnerability

March 20, 2025 (updated March 21, 2025)

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution.

References

github.com/advisories/GHSA-gj27-76gq-5v3p
github.com/open-webui/open-webui
huntr.com/bounties/2256e336-0f67-449e-a82d-7fc57081a21c
nvd.nist.gov/vuln/detail/CVE-2024-7990

Code Behaviors & Features

Detect and mitigate CVE-2024-7990 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →