CVE-2024-7044 MEDIUM

CVE-2024-7044: Stored XSS in open-webui/open-webui

Vendor Open-Webui
Product open-webui/open-webui
Weakness CWE-79 · XSS
Published March 20, 2025
Last update March 20, 2025
View on NVD All CVEs

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject malicious content into a file, which, when accessed by a victim through a URL or shared chat, executes JavaScript in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-49061 WordPress Porn Videos Embed plugin <= 0.9.1 - Cross Site Scripting (XSS) vulnerability CVE-2023-50829 WordPress Loan Repayment Calculator and Application Form Plugin <= 2.9.3 is vulnerable to Cross Site Scripting (XSS) CVE-2023-47816 WordPress Charitable Plugin <= 1.7.0.13 is vulnerable to Cross Site Scripting (XSS) CVE-2025-1319 Site Mailer <= 1.2.3 - Unauthenticated Stored Cross-Site Scripting CVE-2026-41472 CyberPanel < 2.4.4 Stored XSS via AI Scanner Dashboard