CVE-2026-44721

CVE-2026-44721 documents a stored XSS in Open WebUI prior to version 0.9.0. The vulnerability arises from a flawed sanitizeResponseContent path that escapes HTML but does not neutralize a markdown link with a javascript: URI rendered via {@html}, enabling an authenticated user with workspace.mode...

CVE-2026-44721 Open WebUI: Stored XSS via Model Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting XSS vulnerability that allows any authenticated user with model creation permission workspace.models to execute arbitrary JavaScript in the browser of a...

NPM: open-webui Vulnerable to Stored XSS via Model Description

NPM: open-webui Vulnerable to Stored XSS via Model Description vulnerability discovered by ? in WordPress Npm open-webui versions = 0.8.12...

CVE-2025-63885

A stored cross-site scripting XSS vulnerability in AIxBlock commit 04f305 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the modeldesc field...

PT-2025-44437

Name of the Vulnerable Software and Affected Versions AIxBlock commit 04f305 Description A stored cross-site scripting XSS issue exists in AIxBlock commit 04f305. This allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the model desc field. Recommendatio...

CVE-2025-63885

The CVE-2025-63885 vulnerability affects AIxBlock at commit 04f305, where the model_desc field does not validate input, enabling stored XSS that can cause arbitrary web scripts/HTML to be executed in a victim’s browser. Impact per the entry is Low for confidentiality and integrity, with no availa...

CVE-2025-63885

A stored cross-site scripting XSS vulnerability in AIxBlock commit 04f305 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the modeldesc field...

CVE-2025-63885

A stored cross-site scripting XSS vulnerability in AIxBlock commit 04f305 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the modeldesc field...

CVE-2024-7990

A stored cross-site scripting XSS vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious...

GHSA-GJ27-76GQ-5V3P Open WebUI stored cross-site scripting (XSS) vulnerability

A stored cross-site scripting XSS vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious...

Open WebUI stored cross-site scripting (XSS) vulnerability

A stored cross-site scripting XSS vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious...

CVE-2024-7990

A stored cross-site scripting XSS vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious...

CVE-2024-7990

A stored cross-site scripting XSS vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious...

CVE-2024-7990 Stored Cross-Site Scripting in open-webui/open-webui

A stored cross-site scripting XSS vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious...

CVE-2024-7990

CVE-2024-7990 is an XSS in open-webui/open-webui v0.3.8, tracked across NVD/Red Hat/Snyk/GHSA. The issue occurs in the /api/v1/models/add endpoint where the model description is not properly sanitized before rendering in chat, enabling an attacker to inject scripts that run in other users’ browse...