CRITICAL🇵🇱 Wersja polska

CVE-2024-8017

CVSS 9.0v3.0pub. 2025-03-20upd. 2025-07-21

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. This vulnerability allows attackers to perform operations with the victim's privileges, such as stealing chat history, deleting chats, and escalating their own account to an admin if the victim is an admin.

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
  • Openwebui Open Webui

    APP
    Openwebui
    ≤ 0.3.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2026-44551CRITICAL9.1PL ✓ten sam produkt

Open WebUI: pominięcie uwierzytelnienia LDAP przez puste hasło (Auth Bypass)

CVE-2024-7053CRITICAL9.0PL ✓ten sam produkt

Session fixation i kradzież sesji administratora w Open WebUI

CVE-2026-54008HIGH8.5ten sam produkt

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0....

CVE-2026-54007HIGH7.1ten sam produkt

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0....

CVE-2026-54010HIGH8.3ten sam produkt

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0....