CVE-2025-46719 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting open-webui, a self-hosted AI platform designed to operate offline. The vulnerability exists in versions prior to 0.6.6 due to improper neutralization of input during web page generation (CWE-79). Specifically, certain HTML tags in chat messages are not correctly sanitized, allowing attackers to inject malicious JavaScript code into chat transcripts. When a user opens an infected chat transcript, the injected script executes in their browser context, enabling attackers to steal the user's access token and gain full control over their account. Since chat transcripts can be shared with other users on the same server or publicly if the "Enable Community Sharing" feature is enabled, the attack surface is significantly expanded. Furthermore, if the victim is an admin user, the attacker can escalate the attack to achieve Remote Code Execution (RCE) on the backend server by injecting malicious Python code via a newly created function. This elevates the threat from a client-side XSS to a server-side compromise. The vulnerability also affects transcripts uploaded to the public openwebui.com platform, enabling wormable stored XSS attacks that can propagate across users. The issue was patched in version 0.6.6. The CVSS 4.0 score is 5.4 (medium), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but with high scope impact and partial impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild.

For European organizations using open-webui, this vulnerability poses a significant risk to both user accounts and backend infrastructure. The theft of access tokens via XSS can lead to account takeover, exposing sensitive AI model data, user inputs, and potentially proprietary information processed by the platform. If an admin account is compromised, attackers can execute arbitrary code on the server, leading to full system compromise, data exfiltration, or disruption of AI services. Organizations relying on open-webui for offline AI workflows may face operational downtime and data integrity issues. The wormable nature of the vulnerability on the public openwebui.com platform increases the risk of rapid spread among users, potentially affecting European users who share or access public chat transcripts. Given the increasing adoption of AI platforms in European research, development, and enterprise environments, the vulnerability could impact confidentiality, integrity, and availability of critical AI workloads and related data.

European organizations should immediately upgrade all open-webui instances to version 0.6.6 or later to apply the official patch. Administrators must disable the "Enable Community Sharing" feature if public transcript sharing is not essential, reducing exposure to wormable XSS attacks. Implement strict input validation and output encoding on chat message rendering to prevent injection of executable scripts. Conduct regular audits of chat transcripts for suspicious content and revoke tokens or reset passwords for accounts suspected of compromise. Network segmentation should isolate open-webui servers from critical infrastructure to limit lateral movement in case of RCE. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious JavaScript payloads targeting open-webui endpoints. Educate users about the risks of opening untrusted chat transcripts and enforce the principle of least privilege for admin accounts to minimize impact if compromised. Finally, monitor openwebui.com and related community forums for emerging exploit reports and indicators of compromise.