Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Network-reachable upload requires a low-privileged account (PR:L) and victim click (UI:R); script runs under app origin affecting another user (S:C) with high C/I impact and no availability effect.
Primary rating from Vendor (https://github.com/open-webui/open-webui).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
Summary
Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML.
Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload was validated through the Markdown preview path, resulting in JavaScript execution in the victim’s browser under the application origin.
This is a confirmed stored XSS vulnerability reachable through normal product functionality.
Affected Version
main- Reproduced on
v0.8.12
Affected Code
Mermaid is initialized in permissive mode:
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/utils/index.ts#L1698 The file preview path renders Mermaid output and injects the returned SVG into the DOM:
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/FileNav/FilePreview.svelte#L133
Impact
A successful exploit allows JavaScript execution in the victim’s browser under the Open WebUI origin when a malicious Markdown file is opened in the preview panel.
PoC
A malicious .md file containing the follwowing contents can be used to trigger the bug:
flowchart LR A[click me] click A href "javascript:alert(document.domain)" "x"
Steps to reproduce: 1- Create a new chat 2- Enable Code Interpreter and browse and upload the file with .md extension. <img width="331" height="258" alt="image" src="https://github.com/user-attachments/assets/bce2b754-56d1-4da1-90a9-22bcb93269f2" /> 3- Clicking on the file, and clicking click me should pop an alert <img width="1103" height="485" alt="image" src="https://github.com/user-attachments/assets/18754486-799b-434e-a2fc-dd7c09956a29" />
Remediation
Since mermaid has DOMPurify as a built-in, it is recommended to use the strict mode instead of loose.
AnalysisAI
Stored cross-site scripting in Open WebUI up to and including v0.9.5 allows authenticated users to execute arbitrary JavaScript in another user's browser under the application origin by uploading a malicious Markdown file containing a crafted Mermaid diagram. The flaw stems from Mermaid being initialized with securityLevel:'loose' and its SVG output being injected via innerHTML in the file preview panel. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) an Open WebUI instance running a vulnerable version (≤ 0.9.5) where Mermaid is initialized with securityLevel:'loose', (2) an attacker holding low-privileged credentials sufficient to start a chat and upload files with Code Interpreter enabled, (3) a victim user who subsequently opens the malicious .md attachment in the file preview panel AND clicks the rendered Mermaid node containing the javascript: href, and (4) absence of a restrictive Content Security Policy blocking javascript: URIs. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N reflects a network-reachable, low-complexity attack that requires a low-privileged uploader and a victim interaction (opening the file and clicking the diagram), with a scope change because script runs in the victim's browser under the Open WebUI origin rather than the uploader's session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged Open WebUI account creates a chat, enables Code Interpreter, and uploads a .md file containing a Mermaid flowchart whose click directive points to a javascript: URI; the file persists in the workspace. When an administrator or another user opens the file preview and clicks the rendered node, arbitrary JavaScript executes in their browser under the Open WebUI origin, enabling session token theft, CSRF against admin endpoints, or pivot into account takeover. … |
| Remediation | Upgrade Open WebUI to version 0.9.6 or later (Vendor-released patch: 0.9.6), available via pip install --upgrade open-webui and tracked at https://github.com/open-webui/open-webui/security/advisories/GHSA-v8qj-hxv7-mgvv; the underlying fix changes Mermaid initialization from securityLevel:'loose' to 'strict' so Mermaid's built-in DOMPurify sanitizes output. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Open WebUI deployments and confirm versions ≤0.9.5; disable file upload and Markdown preview features immediately as interim control. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38531
GHSA-v8qj-hxv7-mgvv