Cross-site scripting in Open WebUI - #VU130951
Published: May 11, 2026
Vulnerability identifier: #VU130951
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Open WebUI
Open WebUI
Software vendor:
Open WebUI
Open WebUI
Description
The vulnerability allows a remote user to execute arbitrary script in the victim's browser and take over the victim's account.
The vulnerability exists due to cross-site scripting in the profile image handling and serving flow when processing an OAuth picture claim and serving the stored profile image as an inline SVG document. A remote user can set a crafted SVG picture URL via OAuth and trick a victim into opening the profile image URL to execute arbitrary script in the victim's browser and take over the victim's account.
User interaction is required, and exploitation requires OAuth signup to be enabled or OAuth picture synchronization on login to be enabled.
Remediation
Install security update from vendor's website.