5.4 - CVE-2025-46571

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Informations
Name	CVE-2025-46571	First vendor Publication	2025-05-05
Vendor	Cve	Last vendor Modification	2025-06-17

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Overall CVSS Score	5.4
Base Score	5.4	Environmental Score	5.4
impact SubScore	2.7	Temporal Score	5.4
Exploitabality Sub Score	2.3

Attack Vector	Network	Attack Complexity	Low
Privileges Required	Low	User Interaction	Required
Scope	Changed	Confidentiality Impact	Low
Integrity Impact	Low	Availability Impact	None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score	N/A	Attack Range	N/A
Cvss Impact Score	N/A	Attack Complexity	N/A
Cvss Expoit Score	N/A	Authentication	N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, low privileged users can upload HTML files which contain JavaScript code via the `/api/v1/files/` backend endpoint. This endpoint returns a file id, which can be used to open the file in the browser and trigger the JavaScript code in the user's browser. Under the default settings, files uploaded by low-privileged users can only be viewed by admins or themselves, limiting the impact of this vulnerability. A link to such a file can be sent to an admin, and if clicked, will give the low-privileged user complete control over the admin's account, ultimately enabling RCE via functions. Version 0.6.6 contains a fix for the issue.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46571

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Type	Description	Count
Application	Openwebui Open Webui cpe:2.3:a:openwebui:open_webui:0.5.16:::::::* cpe:2.3:a:openwebui:open_webui:0.3.8:::::::* cpe:2.3:a:openwebui:open_webui:0.3.32:::::::* cpe:2.3:a:openwebui:open_webui:0.3.10:::::::* cpe:2.3:a:openwebui:open_webui:0.1.105:::::::* cpe:2.3:a:openwebui:open_webui:::::::: cpe:2.3:a:openwebui:open_webui:-:::::::*	7

Sources (Detail)

https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers...
https://github.com/open-webui/open-webui/commit/ef2aeb7c0eb976bac759e59ac359c...
https://github.com/open-webui/open-webui/security/advisories/GHSA-8gh5-qqh8-hq3x

Source	Url

Alert History

If you want to see full details history, please login or register.

Date	Informations
2025-06-18 00:20:50	Multiple Updates
2025-05-27 02:58:12	First insertion

Type	Count
CWE ID(s)	1
CPE ID(s)	7
Sources(s)	3

5.4 - CVE-2025-46571

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

CPE : Common Platform Enumeration

Sources (Detail)

Alert History

Global Informations

Open Standards

COMPANY

STANDARDS

RECENT POSTS

MENU