Product
A stored Cross-Site Scripting (XSS) vulnerability exists in Open WebUI versions up to 0.6.43, allowing attackers to manually modify chat history to inject malicious content into response messages via iFrames with misconfigured sandboxing, leading to arbitrary script execution, potential session hijacking, and enabling Remote Code Execution (RCE) on the server for administrators.