CVE-2025-64495

Name of the Vulnerable Software and Affected Versions Open WebUI versions 0.6.34 and below

Description Open WebUI, a self-hosted artificial intelligence platform designed for offline operation, contains a Stored DOM XSS issue. When the 'Insert Prompt as Rich Text' functionality is enabled, the prompt body is assigned to the DOM sink

.innerHtml

without proper sanitisation. This allows users with prompt creation permissions to inject a payload that can be triggered by other users when they execute the corresponding command to insert the prompt. Exploitation of this issue can lead to account takeover (ATO) and remote code execution (RCE), particularly for administrator accounts. The vulnerability resides in the handling of HTML content within custom prompts, specifically in the

replaceCommandWithText

function. The lack of sanitisation allows attackers to craft malicious payloads using techniques like

String.fromCodePoint

to bypass character limitations and execute arbitrary code on the server. Approximately 56.6k live targets are identified on ZoomEye, and over 1.0M services are found yearly. The vulnerability can be exploited by crafting a malicious prompt and triggering it through a chat window.

Recommendations Update to version 0.6.35 or later to resolve this vulnerability.