CVE-2024-7990 — Open WebUI stored cross-site scripting (XSS) vulnerability

Description

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution.

How to fix CVE-2024-7990

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2024-7990 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.3.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.4	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-7990
PATCHgithub.com/open-webui/open-webui
WEBhuntr.com/bounties/2256e336-0f67-449e-a82d-7fc57081a21c