Cross-site scripting in Open WebUI - CVE-2026-54011
Published: June 30, 2026
Open WebUI
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser under the application origin.
The vulnerability exists due to cross-site scripting in the Mermaid markdown preview renderer when rendering attacker-controlled Mermaid content from a Markdown file. A remote user can upload or provide a specially crafted Markdown file to execute arbitrary JavaScript in the victim's browser under the application origin.
User interaction is required to open the crafted Markdown file in the preview panel.