Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

7 matches found

Veracode
Veracodeadded 2026/03/09 7:33 a.m.4 views

Stored Cross-Site Scripting (XSS)

Open WebUI is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of Markdown content in the Notes PDF export functionality, allowing attackers to embed malicious SVG tags that execute arbitrary JavaScript when the note is downloaded as a PDF,...

8.7CVSS6AI score0.00028EPSS
Exploits1References2Affected Software2
Github Security Blog
Github Security Blogadded 2025/12/04 10:3 p.m.6 views

Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF'

Summary A Stored XSS vulnerability has been discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing them to execute arbitrary JavaScript code and steal session tokens when a victim downloads the note as...

8.7CVSS5.9AI score0.00028EPSS
Exploits1References4Affected Software1
EUVD
EUVDadded 2025/12/04 10:3 p.m.2 views

EUVD-2025-201263

Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF'...

8.7CVSS5.5AI score0.00028EPSS
Exploits1References4
Cvelist
Cvelistadded 2025/12/04 8:46 p.m.19 views

CVE-2025-65959 Open WebUI vulnerable to Stored DOM XSS via Note 'Download PDF'

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS vulnerability was discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing...

8.7CVSS0.00028EPSS
Exploits1References2
CVE
CVEadded 2025/12/04 8:46 p.m.7 views

CVE-2025-65959

CVE-2025-65959 concerns a stored XSS in Open WebUI’s Notes PDF download feature. The vulnerability arises when HTML content from a Markdown note is assigned directly to innerHTML during PDF generation, enabling arbitrary JavaScript execution (e.g., SVG-based payloads) and session-token theft. Exp...

8.7CVSS6.4AI score0.00028EPSS
Exploits1References2Affected Software1
OSV
OSVadded 2025/12/04 8:46 p.m.2 views

CVE-2025-65959 Open WebUI vulnerable to Stored DOM XSS via Note 'Download PDF'

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS vulnerability was discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing...

8.7CVSS6.6AI score0.00028EPSS
Exploits1References4
Positive Technologies
Positive Technologiesadded 2025/12/04 12:0 a.m.3 views

PT-2025-49146

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.37 Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. A Stored Cross-Site Scripting XSS issue was identified in the Notes PDF download functionality. ...

8.7CVSS5.7AI score0.00028EPSS
Exploits1References12
Rows per page
Query Builder