Cross-site scripting in Open WebUI - CVE-2026-54013

 

Cross-site scripting in Open WebUI - CVE-2026-54013

Published: June 30, 2026


Vulnerability identifier: #VU135943
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-54013
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to execute script in the victim's browser and take over accounts.

The vulnerability exists due to cross-site scripting in the model profile image handling endpoint when rendering a stored crafted SVG image. A remote user can create a model with a specially crafted profile_image_url and induce a victim to open the model image URL to execute script in the victim's browser and take over accounts.

User interaction is required to navigate to the model image URL, and exploitation requires permission to create or modify models.


How to mitigate CVE-2026-54013

Install security update from vendor's website.

Sources