Main Vulnerability Database SB2026050627

SB2026050627 - Cross-site scripting in Open WebUI

Published: May 6, 2026

Security Bulletin ID SB2026050627

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary JavaScript in the browser context of a pending user.

The vulnerability exists due to cross-site scripting in the AccountPending.svelte pending user overlay component when rendering admin-configured markdown content. A remote privileged user can configure a crafted markdown link with a javascript: URI to execute arbitrary JavaScript in the browser context of a pending user.

User interaction is required to click the crafted link in the pending user overlay.

Remediation

Install update from vendor's website.

References

https://github.com/open-webui/open-webui/security/advisories/GHSA-fq3v-xjjx-95rc