Cross-site scripting in Open WebUI - #VU130928
Published: May 11, 2026
Vulnerability identifier: #VU130928
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in the application origin.
The vulnerability exists due to cross-site scripting in the profile image handling for profile_image_url and GET /api/v1/users/{user_id}/profile/image when processing a crafted data:image/svg+xml;base64,... profile image URL. A remote user can supply a specially crafted profile image URL to execute arbitrary script in the application origin.
User interaction is required to load the malicious profile image URL, and successful exploitation can enable JWT theft from localStorage and account takeover.
Remediation
Install security update from vendor's website.