{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T14:06:23.865","vulnerabilities":[{"cve":{"id":"CVE-2025-64496","sourceIdentifier":"security-advisories@github.com","published":"2025-11-08T02:15:35.443","lastModified":"2025-11-26T15:36:09.183","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35."},{"lang":"es","value":"Open WebUI es una plataforma de inteligencia artificial autoalojada diseñada para operar completamente sin conexión. Las versiones 0.6.224 y anteriores contienen una vulnerabilidad de inyección de código en la función de Conexiones Directas que permite a servidores de modelos externos maliciosos ejecutar JavaScript arbitrario en los navegadores de las víctimas a través de eventos de ejecución de Server-Sent Event (SSE). Esto conduce al robo de tokens de autenticación, a la toma de control completa de la cuenta y, cuando se encadena con la API de Funciones, permite la ejecución remota de código en el servidor backend. El ataque requiere que la víctima habilite las Conexiones Directas (deshabilitadas por defecto) y añada la URL del modelo malicioso del atacante, lo cual se puede lograr mediante ingeniería social del administrador y usuarios posteriores. Este problema está solucionado en la versión 0.6.35."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","baseScore":8.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.1,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-95"},{"lang":"en","value":"CWE-501"},{"lang":"en","value":"CWE-829"},{"lang":"en","value":"CWE-830"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*","versionEndExcluding":"0.6.35","matchCriteriaId":"E8274E63-8712-4A92-9161-E5D5EC241CD4"}]}]}],"references":[{"url":"https://github.com/open-webui/open-webui/commit/8af6a4cf21b756a66cd58378a01c60f74c39b7ca","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-cm35-v4vp-5xvx","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Third Party Advisory"]}]}}]}