cbcvebase.
CVE-2024-7990
published 2025-03-20

CVE-2024-7990: A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add`…

PriorityP339high8.4CVSS 3.0
AVNACLPRHUIRSCCHIHAH
EPSS
0.89%
54.8th percentile
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution.

Affected

5 ranges
VendorProductVersion rangeFixed in
open-webuiopen-webui>= 0 < 0.9.00.9.0
open-webuiopen-webui>= 0 < 0.9.00.9.0
open-webuiopen-webui0 – 0.3.8
open-webuiopen-webui_open-webuiunspecified – latest
openwebuiopen_webui

CVSS provenance

nvdv3.08.4HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
ghsa8.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.