CVE-2026-45231

DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or updat...

PT-2026-41718

Name of the Vulnerable Software and Affected Versions DumbAssets versions 1.0 through 1.0.11 Description A stored cross-site scripting issue exists in asset fields, specifically name, description, modelNumber, serialNumber, and tags. These fields are stored without server-side sanitization and...

Cross-site Scripting (XSS)

FileBrowser Quantum is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of user-controlled share metadata fields when rendered in HTML using text/template, which allows an attacker to inject and execute malicious scripts when users visit a shared URL...

CVE-2026-45303

Open WebUI vulnerability CVE-2026-45303: Stored XSS via the HTML rendering view affects Open WebUI prior to 0.6.5. The frontend renders chat HTML inside an iframe with sandbox=

CVE-2026-45303 Open WebUI: Stored XSS via the HTML renedering view

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

CVE-2026-45303 Open WebUI: Stored XSS via the HTML renedering view

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

EUVD-2026-30654

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Display template option of the Set field type, where user-supplied input is processed by the $interpolate function and rendered via Vue's v-html directive without proper sanitization. An attacker can...

EUVD-2026-30556

Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function and rendered via Vue's v-html directive witho...

Open WebUI 跨站脚本漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI that is open source. Versions of Open WebUI prior to 0.9.3 had a cross-site scripting vulnerability. This vulnerability stemmed from the XLSX.utils.sheettohtml function, which was rendered using @html excelHtml without...

Open WebUI 跨站脚本漏洞

Open WebUI is an open-source, scalable, feature-rich, and user-friendly self-hosted WebUI. Versions of Open WebUI prior to 0.6.5 had a cross-site scripting vulnerability. This vulnerability stemmed from HTML rendering views that allowed script injection and execution, potentially leading to...

PT-2026-41392

Impact Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. Patches...

Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)

Related advisory This advisory tracks a regression of the original Excel-preview XSS that was publicly disclosed and patched under GHSA-jwf8-pv5p-vhmc patched in v0.8.0. The same root cause — XLSX.utils.sheettohtml output rendered via @html excelHtml without DOMPurify — was reintroduced sometime...

GHSA-HCWP-82G6-8WXC Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)

Related advisory This advisory tracks a regression of the original Excel-preview XSS that was publicly disclosed and patched under GHSA-jwf8-pv5p-vhmc patched in v0.8.0. The same root cause — XLSX.utils.sheettohtml output rendered via @html excelHtml without DOMPurify — was reintroduced sometime...

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of user-uploaded Office files as HTML using the Svelte @html directive without proper sanitization. An attacker can execute arbitrary JavaScript in the context of oth...

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS via the HTML rendering view. An attacker can execute arbitrary HTML or JavaScript in the user's context by injecting malicious scripts into embedded file in the chat that later shared...

GHSA-4VRC-M9CH-6M3R Open WebUI has stored XSS via the HTML renedering view

Summary Through the HTML rendering view, scripts can be injected and executed. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Op...

Open WebUI has stored XSS via the HTML renedering view

Summary Through the HTML rendering view, scripts can be injected and executed. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Op...

CVE-2026-42159

CVE-2026-42159 affects Flowsint, an open-source OSINT graph exploration tool. A remote attacker can create a node whose description contains arbitrary HTML; when selected, the node renders that HTML and may trigger stored XSS. The issue resides in sketches and their nodes/relationships where desc...

CVE-2026-45228

Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders pushconfig key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the...