Cross-site scripting in Open WebUI - CVE-2026-54011

 

Cross-site scripting in Open WebUI - CVE-2026-54011

Published: June 30, 2026


Vulnerability identifier: #VU135947
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-54011
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Open WebUI
Affected software:
Open WebUI

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser under the application origin.

The vulnerability exists due to cross-site scripting in the Mermaid markdown preview renderer when rendering attacker-controlled Mermaid content from a Markdown file. A remote user can upload or provide a specially crafted Markdown file to execute arbitrary JavaScript in the victim's browser under the application origin.

User interaction is required to open the crafted Markdown file in the preview panel.


How to mitigate CVE-2026-54011

Install security update from vendor's website.

Sources