Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
There is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation.
Details
It is possible permanently save any HTML/JavaScript code in the application, which can be then executed in the context of the application domain. This behaviour can be used to extract and steal sensitive data from the application, manipulate DOM tree or being used in complex client-side attacks.
Detailed step-by-step instruction provided below. Please keep me updated about assigned CVE identifier. I'd like to be credited as: Jakub Żoczek [Securitum]
PoC
Steps to reproduce:
To reproduce this vulnerability you need to:
- Login to Open WebUI
- Start new conversation / thread
- Use prompt: "Hey. Can you draw me a green circle using SVG ?"
- SVG image should be generated.
- Now it's possible to edit the code by simply clicking on it and adding additional code. Add payload
<img src=a onerror=alert(document.domain)> - The whole code should look like this:
<svg width="100" height="100" xmlns="http://www.w3.org/2000/svg">
<circle cx="50" cy="50" r="40" fill="green"/>
</svg><img src="a" onerror="alert(document.domain)">ok</img><img width="1249" alt="AI XSS1" src="https://github.com/user-attachments/assets/75167880-79ac-4510-9743-f99bf81a215d" />
- Now clicking "Save", the new image should get rendered, and malicious code - executed (by popping alert).
<img width="527" alt="AI XSS2" src="https://github.com/user-attachments/assets/24d4e572-97f0-438f-993d-08e1d421b349" />
Such thread could be then shared and sent to other users.
Impact
Cross-Site Scripting allows attacker to execute malicious code in context of victim's browser. This way it could be used in malicious client-side attack achieving different things, depends on attacker's goal. Such thread with rendered SVG could be shared to other user (or administrator) and gain sensitive data or even takeover someone's account.
AnalysisAI
Stored cross-site scripting (XSS) in Open WebUI's SVG renderer allows authenticated users to permanently inject malicious HTML and JavaScript code into conversation threads by editing SVG content, which executes in the browser context of any user viewing the shared thread. The vulnerability affects npm package open-webui versions prior to 0.6.31 and enables account takeover, data theft, and DOM manipulation. Publicly available proof-of-concept demonstrates code execution via img tag onerror handler embedded in SVG markup.
Technical ContextAI
Open WebUI renders user-editable SVG code in conversations without proper sanitization of embedded HTML elements. The vulnerability stems from insufficient input validation in the SVG renderer component, which allows injection of non-SVG HTML elements (such as img tags with event handlers) that are executed by the browser. The root cause is classified as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a variant of improper output encoding. The npm package open-webui contains the vulnerable SVG parsing and rendering logic that fails to strip or escape HTML payloads before storing and displaying user-generated SVG content.
RemediationAI
Upgrade Open WebUI npm package immediately to version 0.6.31 or later, which contains vendor-released patches addressing SVG sanitization. Execute 'npm update open-webui@0.6.31' or equivalent package manager command and restart the application. As a temporary compensating control for deployments unable to patch immediately, disable SVG editing features by restricting access to the SVG code editor endpoint (typically /api/messages/edit or equivalent conversation editing routes) at the reverse proxy or application-level access control layer - note that this prevents legitimate SVG usage and is not a permanent solution. Additionally, audit all existing conversations for injected payloads by searching the database for HTML elements outside valid SVG namespaces (e.g., img, script, iframe tags) in stored message content. Consider implementing a Web Application Firewall rule to block requests containing onerror, onload, or other event handler attributes in conversation edit operations. Inform users not to click links to potentially untrusted shared conversations until patching is complete.
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30651
GHSA-r29h-37fj-x2w6