Main Vulnerability Database Vulnerabilities #VU129658

Cross-site scripting in Open WebUI - #VU129658

Published: May 5, 2026

Vulnerability identifier: #VU129658

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of another user.

The vulnerability exists due to cross-site scripting in model description rendering in the chat UI when processing a crafted model description containing a javascript: link. A remote user can create a malicious model description to execute arbitrary JavaScript in the browser of another user.

User interaction is required, and the victim must view the malicious model and click the rendered hyperlink.

Remediation

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-gf5m-wcrh-7928

Cross-site scripting in Open WebUI - #VU129658

Detailed vulnerability description

Remediation

Sources

Please verify you're human