Main Vulnerability Database Vulnerabilities #VU130930

Cross-site scripting in Open WebUI - #VU130930

Published: May 11, 2026

Vulnerability identifier: #VU130930

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in a victim's browser and disclose sensitive information.

The vulnerability exists due to cross-site scripting in the HTML rendering view when rendering chat content as HTML in a sandboxed iframe with script execution and same-origin access enabled. A remote user can inject a crafted script into chat content to execute arbitrary script in a victim's browser and disclose sensitive information.

User interaction is required, and exploitation against another user's context depends on vectors such as shared or imported conversations or uploaded content being rendered.

Remediation

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-4vrc-m9ch-6m3r

Cross-site scripting in Open WebUI - #VU130930

Detailed vulnerability description

Remediation

Sources

Please verify you're human