Search for vulnerabilities
| Vulnerability ID | VCID-u3aa-dqz4-x7f3 |
| Aliases |
CVE-2024-7990
GHSA-gj27-76gq-5v3p |
| Summary | A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution. |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| epss | 0.00285 | https://api.first.org/data/v1/epss?cve=CVE-2024-7990 |
| cvssv3.1 | 8.4 | https://github.com/open-webui/open-webui |
| generic_textual | HIGH | https://github.com/open-webui/open-webui |
| cvssv3 | 8.4 | https://huntr.com/bounties/2256e336-0f67-449e-a82d-7fc57081a21c |
| cvssv3.1 | 8.4 | https://huntr.com/bounties/2256e336-0f67-449e-a82d-7fc57081a21c |
| generic_textual | HIGH | https://huntr.com/bounties/2256e336-0f67-449e-a82d-7fc57081a21c |
| ssvc | Track* | https://huntr.com/bounties/2256e336-0f67-449e-a82d-7fc57081a21c |
| cvssv3.1 | 8.4 | https://nvd.nist.gov/vuln/detail/CVE-2024-7990 |
| generic_textual | HIGH | https://nvd.nist.gov/vuln/detail/CVE-2024-7990 |
| Reference id | Reference type | URL |
|---|---|---|
| https://api.first.org/data/v1/epss?cve=CVE-2024-7990 | ||
| https://github.com/open-webui/open-webui | ||
| https://nvd.nist.gov/vuln/detail/CVE-2024-7990 | ||
| 2256e336-0f67-449e-a82d-7fc57081a21c | https://huntr.com/bounties/2256e336-0f67-449e-a82d-7fc57081a21c | |
| GHSA-gj27-76gq-5v3p | https://github.com/advisories/GHSA-gj27-76gq-5v3p |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.52342 |
| EPSS Score | 0.00285 |
| Published At | June 11, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-10T18:36:47.938973+00:00 | Vulnrichment | Import | https://github.com/cisagov/vulnrichment/blob/develop/2024/7xxx/CVE-2024-7990.json | 38.6.0 |