Main Vulnerability Database Vulnerabilities #VU130941

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Open WebUI - #VU130941

Published: May 11, 2026

Vulnerability identifier: #VU130941

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Open WebUI

Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in the SVG renderer when rendering edited SVG content. A remote user can save crafted HTML or JavaScript in a thread and share it with another user to execute arbitrary script in the victim's browser.

User interaction is required when another user opens the shared thread containing the rendered SVG.

Remediation

Install security update from vendor's website.

Sources

https://github.com/open-webui/open-webui/security/advisories/GHSA-r29h-37fj-x2w6

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Open WebUI - #VU130941

Detailed vulnerability description

Remediation

Sources

Please verify you're human