10 matches found
CVE-2026-44568
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order. An admi...
CVE-2026-44568
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order. An admi...
CVE-2026-44568
Summary: Open WebUI before v0.9.0 has a Stored XSS in the Pending User Overlay content. The vulnerability stems from rendering the admin-configured Pending User Overlay Content via marked.parse() inside {@html} with DOMPurify applied before markdown parsing, allowing an admin to inject JavaScript...
CVE-2026-44568
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order. An admi...
CVE-2026-44568 Open WebUI: Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order. An admi...
CVE-2026-44568 Open WebUI: Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order. An admi...
Cross-site Scripting (XSS)
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering process of the pending user overlay content due to improper sanitization order. An attacker can execute arbitrary JavaScript in the browser context of affected users ...
Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order
Vulnerability Details CWE-79: Cross-site Scripting XSS The AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order: Vulnerable Code...
GHSA-FQ3V-XJJX-95RC Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order
Vulnerability Details CWE-79: Cross-site Scripting XSS The AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order: Vulnerable Code...
PT-2026-39284
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description The AccountPending.svelte component renders admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order. DOMPurify is applied to t...