Gg0H

**Name of the Vulnerable Software and Affected Versions** Open WebUI versions prior to 0.7.3 **Description** Open WebUI contains a Blind Server Side Request Forgery (SSRF) in the functionality used to edit an image via a prompt. The affected function performs a GET request to a user-provided URL without domain restrictions, enabling access to the local address space. Because the SSRF is blind, the response cannot be read, but the issue allows for port scanning of the local network by analyzing whether the GET request succeeds or fails. If a service on an open port is identified, an attacker may interact with it if that service provides state-changing GET request endpoints. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open WebUI versions prior to 0.7.0 **Description** Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Modifying chat history before version 0.7.0 allows manipulation of the `html` property within document metadata. This causes the frontend to interpret document contents as HTML and render them within an iFrame when a citation is previewed, leading to stored cross-site scripting (XSS). The payload executes when the citation is viewed, including in shared chats. The issue involves a code path triggered by document contents treated as HTML. **Recommendations** Update to version 0.7.0 or later.

**Name of the Vulnerable Software and Affected Versions** Open WebUI versions prior to 0.6.44 **Description** Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Manually modifying chat history allows setting the `embeds` property on a response message. The content of this property is loaded into an iFrame with a sandbox that has `allow-scripts` and `allow-same-origin` set, bypassing the "iframe Sandbox Allow Same Origin" configuration. This enables stored cross-site scripting (XSS) on the affected chat, and the resulting malicious link can be shared with other users on the instance. The issue occurs when the chat is in the shared format. **Recommendations** Update to version 0.6.44 or later.