Cross-site scripting in Open WebUI - #VU130929
Published: May 11, 2026
Vulnerability identifier: #VU130929
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in a new browser tab.
The vulnerability exists due to cross-site scripting in the profile_image_url field when handling a crafted data:text/html;base64,... profile image URL opened as an image in a new tab. A remote user can set a specially crafted profile image URL to execute arbitrary script in a new browser tab.
User interaction is required when the victim right-clicks the profile picture and chooses to open the image in a new tab. The script executes in the data: origin rather than the application origin.
Remediation
Install security update from vendor's website.