CVE-2026-45303 Open WebUI: Stored XSS via the HTML renedering view

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

CVE-2026-45303 Open WebUI: Stored XSS via the HTML renedering view

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

CVE-2026-8563

Insufficient policy enforcement in IFrame Sandbox in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-8563

Insufficient policy enforcement in IFrame Sandbox in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Medium...

GHSA-4VRC-M9CH-6M3R Open WebUI has stored XSS via the HTML renedering view

Summary Through the HTML rendering view, scripts can be injected and executed. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Op...

Open WebUI has stored XSS via the HTML renedering view

Summary Through the HTML rendering view, scripts can be injected and executed. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Op...

CVE-2026-8563

CVE-2026-8563 affects Google Chrome on Windows, with an insufficient policy enforcement flaw in the IFrame Sandbox of Chromium that could allow a remote attacker to bypass navigation restrictions via a crafted HTML page. Affected component: IFrame Sandbox; root cause: policy enforcement insuffici...

CVE-2026-8563

Insufficient policy enforcement in IFrame Sandbox in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Medium...

EUVD-2026-30380

Insufficient policy enforcement in IFrame Sandbox in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-8563

Insufficient policy enforcement in IFrame Sandbox in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-8563

Insufficient policy enforcement in IFrame Sandbox in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-8563

Insufficient policy enforcement in IFrame Sandbox in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Medium...

PT-2026-41092

Name of the Vulnerable Software and Affected Versions Google Chrome on Windows versions prior to 148.0.7778.168 Description Insufficient policy enforcement in the IFrame Sandbox allows a remote attacker to bypass navigation restrictions by using a crafted HTML page. Recommendations Update Google...

PT-2026-41164

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.5 Description Scripts can be injected and executed through the HTML rendering view. The frontend includes a function to visualize HTML content of a chat by embedding it in an iFrame. However, the use of the...

Debian dla-4581 : libnghttp2-14 - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4581 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4581-1 [email protected] https://www.debian.org/lts/security/...

Google Chrome 安全漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.168 contained a security vulnerability. This vulnerability stemmed from insufficient policy execution in the IFrame Sandbox component, which could allow remote attackers to bypass navigation...

CVE-2026-43878

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a block. An attacker who sends a victim to a crafted URL can bre...

EUVD-2026-29272

The issue was addressed with improved UI handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings...

CVE-2026-28971

The issue was addressed with improved UI handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings...

CVE-2026-43878 WWBN AVideo: Reflected XSS in plugin/Meet/iframe.php via Unescaped `user`/`pass` Parameters Reflected into JavaScript String Literal

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a block. An attacker who sends a victim to a crafted URL can bre...