Main Vulnerability Database SB2026050527

SB2026050527 - Cross-site scripting in Open WebUI

Published: May 5, 2026

Security Bulletin ID SB2026050527

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of another user.

The vulnerability exists due to cross-site scripting in model description rendering in the chat UI when processing a crafted model description containing a javascript: link. A remote user can create a malicious model description to execute arbitrary JavaScript in the browser of another user.

User interaction is required, and the victim must view the malicious model and click the rendered hyperlink.

Remediation

Install update from vendor's website.

References

https://github.com/open-webui/open-webui/security/advisories/GHSA-gf5m-wcrh-7928