Open WebUI CVE-2026-45665

Summary

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Banner component due to an improper sanitization order (specifically, DOMPurify is executed before the marked library).

This vulnerability allows a compromised or malicious administrator to plant a malicious payload in the global banner. Crucially, this vector enables Privilege Escalation, as the malicious banner is rendered for all users, including the Super Admin (Primary Admin).

Consequently, the payload successfully bypasses the existing security mechanism. An attacker can leverage this to steal the Super Admin's session token

Details

Root Cause: The code attempts to sanitize the input using DOMPurify.sanitize() before parsing it with marked.parse().

DOMPurify cleans the raw input. Since [Link](javascript:alert(javascript:alert(localStorage.token))) is valid text (not HTML), it passes through DOMPurify unchanged. marked handles the text and converts it into a clickable HTML link: <a href="javascript:alert(javascript:alert(localStorage.token))">Link</a>. This resulting unsafe HTML is rendered directly via {@html ...} without further checks.

src/lib/components/common/Banner.svelte (Line 103)

{@html marked.parse(DOMPurify.sanitize((banner?.content ?? '').replace(/\n/g, '<br>')))}

POC

1. Attacker Action: Log in as a compromised Admin account and navigate to Settings > Interface > UI > Banners.
2. Injection: Add a new banner and enter the following payload in the content field. This payload creates a link that alerts the user's session token when clicked.

    [Click for Security Update](javascript:alert(localStorage.token))

1. Execution: Click Save. The malicious banner is now stored and active.
2. Victim Action (Privilege Escalation): The Primary Admin logs in and sees the banner on the main dashboard. Believing it to be a system notification, they click the link.

Victim Dashboard View:

<img width="880" height="245" alt="image" src="https://github.com/user-attachments/assets/b70d7f65-ab34-4634-9e78-2a8a7eda1439" />

1. Result: The JavaScript executes immediately within the Primary Admin's session, exposing their full-access token.

Impact

Extend permissions and damage to the entire system. You need administrator privileges to create banners, but this vulnerability is important because it can attack primary administrators and other administrators.

Destination: Other Administrators /Primary Administrators. Attack Vector: Corrupting all administrator accounts (even those with limited scope if future granular privileges exist or simply credentials are compromised) could allow an attacker to set traps for the default administrator. The result: Unlike self-XSS or simple administrator configuration changes, this allows you to capture active sessions for the most privileged users and bypass authentication controls such as MFA (because the session is already active).

Recommended Patch

Modify src/lib/components/common/Banner.svelte (Line 103):

{@html DOMPurify.sanitize(marked.parse((banner?.content ?? '').replace(/\n/g, '<br>')))}

Resolution

Fixed in v0.8.0. src/lib/components/common/Banner.svelte:103 now applies the sanitization in the correct order: DOMPurify.sanitize(marked.parse(...)). marked.parse runs first and converts [text](javascript:...) markdown into the corresponding HTML link element; DOMPurify.sanitize then strips the javascript: URL and any other dangerous attributes/elements before the result reaches {@html ...}.

Users on >= 0.8.0 are not affected.