EXECUTIVE SUMMARY:
Open WebUI contains a high-severity stored DOM XSS CVE-2025-64495, CVSS 8.7 in its prompt-handling when the “Insert Prompt as Rich Text” feature is enabled — the prompt body is assigned to innerHTML without sanitization, allowing any user who can create prompts to inject malicious HTML/JS that executes in other users’ browsers. An attacker can use this to exfiltrate session tokens or perform actions in the victim’s session and, critically, escalate to full server-side remote code execution by tricking an administrator into invoking the platform’s Functions feature (which can run arbitrary Python), enabling account takeover and host compromise; the flaw affects Open WebUI releases up to 0.6.34.
RECOMMENDATION:
We strongly recommend you update Open WebUI to version 0.6.35.
REFERENCES:
The following reports contain further technical details: