CVE-2026-26192 Open WebUI vulnerable to Stored XSS via iFrame in citations model

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML...