Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Network-reachable upload requires a low-privileged account (PR:L) and victim click (UI:R); script runs under app origin affecting another user (S:C) with high C/I impact and no availability effect.
Primary rating from Vendor (https://github.com/open-webui/open-webui).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
Summary
Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML.
Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload was validated through the Markdown preview path, resulting in JavaScript execution in the victim’s browser under the application origin.
This is a confirmed stored XSS vulnerability reachable through normal product functionality.
Affected Version
main- Reproduced on
v0.8.12
Affected Code
Mermaid is initialized in permissive mode:
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/utils/index.ts#L1698 The file preview path renders Mermaid output and injects the returned SVG into the DOM:
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/FileNav/FilePreview.svelte#L133
Impact
A successful exploit allows JavaScript execution in the victim’s browser under the Open WebUI origin when a malicious Markdown file is opened in the preview panel.
PoC
A malicious .md file containing the follwowing contents can be used to trigger the bug:
flowchart LR A[click me] click A href "javascript:alert(document.domain)" "x"
Steps to reproduce: 1- Create a new chat 2- Enable Code Interpreter and browse and upload the file with .md extension. <img width="331" height="258" alt="image" src="https://github.com/user-attachments/assets/bce2b754-56d1-4da1-90a9-22bcb93269f2" /> 3- Clicking on the file, and clicking click me should pop an alert <img width="1103" height="485" alt="image" src="https://github.com/user-attachments/assets/18754486-799b-434e-a2fc-dd7c09956a29" />
Remediation
Since mermaid has DOMPurify as a built-in, it is recommended to use the strict mode instead of loose.
AnalysisAI
Stored cross-site scripting in Open WebUI up to and including v0.9.5 allows authenticated users to execute arbitrary JavaScript in another user's browser under the application origin by uploading a malicious Markdown file containing a crafted Mermaid diagram. The flaw stems from Mermaid being initialized with securityLevel:'loose' and its SVG output being injected via innerHTML in the file preview panel. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis beyond the PoC, and the issue is not listed in CISA KEV.
Technical ContextAI
Open WebUI (pip package open-webui) is a self-hosted web interface for LLMs written in Svelte/TypeScript. It uses the Mermaid diagram library to render flowcharts embedded in Markdown via fenced `mermaid code blocks. In src/lib/utils/index.ts the application calls mermaid.initialize with securityLevel:'loose', which disables Mermaid's built-in DOMPurify sanitization and permits javascript: URIs in click directives. The rendered SVG is then inserted into the DOM with innerHTML in src/lib/components/chat/FileNav/FilePreview.svelte, propagating the unsafe link into a live, clickable element under the Open WebUI origin. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a sink-side trust failure where attacker-controlled diagram syntax is treated as trusted markup.
RemediationAI
Upgrade Open WebUI to version 0.9.6 or later (Vendor-released patch: 0.9.6), available via pip install --upgrade open-webui and tracked at https://github.com/open-webui/open-webui/security/advisories/GHSA-v8qj-hxv7-mgvv; the underlying fix changes Mermaid initialization from securityLevel:'loose' to 'strict' so Mermaid's built-in DOMPurify sanitizes output. Where immediate patching is not possible, restrict Markdown/file uploads to trusted users, disable the Code Interpreter file-preview feature, or front the application with a Content Security Policy that forbids inline event handlers and javascript: URIs - noting that a strict CSP may break other Open WebUI rendering features and that limiting uploads reduces collaborative functionality.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38531
GHSA-v8qj-hxv7-mgvv