Main Vulnerability Database Vulnerabilities #VU127468

Cross-site scripting in Open WebUI - CVE-2025-64495

Published: April 24, 2026

Vulnerability identifier: #VU127468

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-64495

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the RichTextInput.svelte prompt insertion functionality when processing prompt content as rich text. A remote user can create a crafted prompt and have a victim run the corresponding slash command to execute arbitrary script in a victim's browser.

The issue is exploitable only when the victim has enabled the 'Insert Prompt as Rich Text' setting, and exploitation requires user interaction to run the corresponding prompt command.

How to mitigate CVE-2025-64495

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-w7xj-8fx7-wfch

Cross-site scripting in Open WebUI - CVE-2025-64495

Detailed vulnerability description

How to mitigate CVE-2025-64495

Sources

Please verify you're human