Cross-site scripting in Open WebUI - CVE-2026-26192
Published: April 24, 2026
Vulnerability identifier: #VU127472
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-26192
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in the citation preview iFrame rendering in CitationModal.svelte when previewing a citation containing attacker-controlled document content marked as HTML. A remote user can modify chat history to set the html metadata property and inject a crafted document payload to execute arbitrary script in the victim's browser.
User interaction is required to expand the sources and click the document containing the payload. The payload also executes when the citation is viewed in a shared chat.
How to mitigate CVE-2026-26192
Install security update from vendor's website.