CVE-2025-46719 affects Open WebUI prior to version 0.6.6. The vulnerability is caused by unsafe rendering of attacker-controlled HTML in chat messages/transcripts. According to the provided content, the vulnerable code paths include src/lib/components/chat/Messages/Markdown/MarkdownTokens.svelte and MarkdownInlineTokens.svelte, where attacker-supplied token.text could be rendered via Svelte {@html} under certain conditions involving HTML tags such as iframe referencing the local file API path /api/v1/files/. This allows a malicious chat transcript to persistently inject JavaScript that executes whenever the transcript is opened in a victim's browser. The executed script can access browser-side token storage and exfiltrate the victim's access token, enabling account takeover. Because transcripts can be shared with other users on the same server, and potentially publicly when community sharing is enabled, the issue is a stored XSS with cross-user reach and possible wormable propagation. The content further states that if the victim is an administrator, the stolen token can be used to create a new function containing malicious Python code, leading to remote code execution on the Open WebUI backend host.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
openwebui.com, allowing silent propagation to additional viewers.If you can’t patch tonight, do this now.
Patch, then assume compromise.
DOMPurify.sanitize(token.text) in the patched HTMLToken.svelte path and stricter handling of HTML tokens. For containerized deployments, pull the latest fixed image and recreate the deployment. Review and remove any malicious shared transcripts, rotate potentially exposed access tokens, and audit administrative functions or plugins for unauthorized additions if compromise is suspected.No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A high-severity client-side code injection/XSS-style vulnerability in Open WebUI that can enable administrative session token theft, arbitrary process execution on the Docker container or local application host, and potentially worm-like self-propagation through shared chat transcripts.
A stored XSS and administrative RCE vulnerability in Open WebUI prior to 0.6.6 mentioned only in related content.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.