Open WebUI XSS Vulnerability (CVE-2025-64495) Enables Remote Code Execution via Malicious Prompts
A critical vulnerability, CVE-2025-64495, has been identified in Open WebUI, a self-hosted AI web interface framework. The flaw is a stored DOM-based cross-site scripting (XSS) issue in the "Insert Prompt as Rich Text" feature, which allows attackers to inject malicious scripts. If exploited, this vulnerability can lead to remote code execution (RCE) with administrative privileges when an admin interacts with a crafted prompt, posing a significant risk to organizations using Open WebUI for managing AI workflows and data.
Security researchers have published proof-of-concept (PoC) details and technical analysis demonstrating how the vulnerability can be leveraged to compromise the system. The issue highlights the importance of sanitizing user input in web applications, especially those handling sensitive AI operations. Administrators are urged to apply available patches and review their Open WebUI deployments to mitigate the risk of exploitation.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Researchers describe admin-to-RCE impact path for CVE-2025-64495
Follow-up reporting detailed how exploitation of CVE-2025-64495 could be chained from stored XSS to remote code execution by targeting an administrator. The write-up emphasized malicious prompts as the delivery mechanism and clarified the severity of the attack path.
Stored DOM XSS in Open WebUI documented as CVE-2025-64495
A vulnerability affecting Open WebUI was publicly disclosed as CVE-2025-64495, described as a stored DOM XSS issue tied to the "Insert Prompt as Rich Text" feature. The flaw could let a malicious prompt execute attacker-controlled script in an administrator's browser session.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


