CVE-2024-7044
published 2025-03-20CVE-2024-7044: A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject…
PriorityP340high8.9CVSS 3.1
AVNACLPRLUIRSCCHIHAL
EPSS
0.48%
37.6th percentile
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject malicious content into a file, which, when accessed by a victim through a URL or shared chat, executes JavaScript in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-webui | open-webui | 0 – 0.3.8 | — |
| open-webui | open-webui_open-webui | unspecified – latest | — |
| openwebui | open_webui | — | — |
CVSS provenance
nvdv3.18.9HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
nvdv3.06.8MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File Upload
ghsa·2025-03-20
CVE-2024-7044 [MEDIUM] CWE-79 Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File Upload
Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File Upload
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject malicious content into a file, which, when accessed by a victim through a URL or shared chat, executes JavaScript in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.
OSV
Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File Upload
osv·2025-03-20
CVE-2024-7044 [MEDIUM] Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File Upload
Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File Upload
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject malicious content into a file, which, when accessed by a victim through a URL or shared chat, executes JavaScript in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published