What is the CVSS score of CVE-2026-26192?

CVE-2026-26192 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of AI / ML are affected by CVE-2026-26192?

Open WebUI instances running versions prior to 0.7.0 are vulnerable to HTML injection attacks through manually modified chat history metadata.

Is there a public PoC exploit available for CVE-2026-26192?

Yes, a public proof-of-concept exploit is available for CVE-2026-26192. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-26192?

Within 24 hours: Identify and inventory all Open WebUI deployments and their current versions; disable manual chat history editing if possible and restrict access to chat data. Within 7 days: Implement input validation and output encoding for all chat metadata fields; monitor for suspicious chat history modifications in audit logs. Within 30 days: Upgrade to Open WebUI version 0.7.0 or later when available; conduct security testing to verify the vulnerability is remediated.

AI / ML CVE-2026-26192

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-02-19 security-advisories@github.com

XSS AI / ML Open Webui

7.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.3 HIGH

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

PoC Detected

Feb 20, 2026 - 20:17 vuln.today

Public exploit code

CVE Published

Feb 19, 2026 - 20:25 nvd

HIGH 7.3

DescriptionGitHub Advisory

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponized document payload in a chat. The payload also executes when the citation is viewed on a shared chat. Version 0.7.0 fixes the issue.

AnalysisAI

Stored XSS in Open WebUI prior to version 0.7.0 allows authenticated users to inject malicious HTML payloads into chat document metadata, which execute in the browser when citations are previewed or viewed in shared chats. Public exploit code exists for this vulnerability, and an attacker with login access can compromise any user who interacts with their weaponized chat documents. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Manually modify chat history JSON

Exploit

Set html property in document metadata

Execution

Frontend renders metadata as HTML in iFrame

Impact

Stored XSS payload executes on citation preview