SB2026051154 - Cross-site scripting in Open WebUI

Security Bulletin ID SB2026051154

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in a victim's browser and disclose sensitive information.

The vulnerability exists due to cross-site scripting in the HTML rendering view when rendering chat content as HTML in a sandboxed iframe with script execution and same-origin access enabled. A remote user can inject a crafted script into chat content to execute arbitrary script in a victim's browser and disclose sensitive information.

User interaction is required, and exploitation against another user's context depends on vectors such as shared or imported conversations or uploaded content being rendered.

Remediation

Install update from vendor's website.

References

https://github.com/open-webui/open-webui/security/advisories/GHSA-4vrc-m9ch-6m3r