Which versions of Openui are affected by CVE-2026-4995?

Organizations using wandb OpenUI should be aware of moderate risk from CVE-2026-4995, a cross-site scripting vulnerability rated CVSS 5.1.

Is there a public PoC exploit available for CVE-2026-4995?

Yes, a public proof-of-concept exploit is available for CVE-2026-4995. Prioritise patching immediately. EPSS: 0.0%.

Openui CVE-2026-4995

Q: What is the CVSS score of CVE-2026-4995?

CVE-2026-4995 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-16917 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-03-28 VulDB

XSS Openui

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.1 (MEDIUM) 2.0 (LOW)

PoC Detected

Mar 30, 2026 - 13:26 vuln.today

Public exploit code

EUVD ID Assigned

Mar 28, 2026 - 11:00 euvd

EUVD-2026-16917

Analysis Generated

Mar 28, 2026 - 11:00 vuln.today

CVE Published

Mar 28, 2026 - 10:45 nvd

MEDIUM 5.1

DescriptionCVE.org

A vulnerability was determined in wandb OpenUI up to 1.0. Affected by this vulnerability is an unknown functionality of the file frontend/public/annotator/index.html of the component Window Message Event Handler. This manipulation causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in wandb OpenUI up to version 1.0 via the Window Message Event Handler in frontend/public/annotator/index.html allows authenticated remote attackers to inject malicious scripts with user interaction. The vulnerability has a low CVSS score (3.5) due to authentication and user-interaction requirements, but publicly available exploit code exists and the vendor has not responded to early disclosure notifications.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This is a low-priority vulnerability despite public exploit availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated user (e.g., an organization member with OpenUI access) crafts a malicious message payload targeting the Window Message Event Handler in the annotator interface. The attacker sends this payload (via postMessage or social engineering link) to trick another authenticated user into interacting with it within the annotator context. …
Remediation	Upgrade wandb OpenUI to a version newer than 1.0 when available from the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running wandb OpenUI and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4995 vulnerability details – vuln.today

Back