CVE-2026-45318 Open WebUI: Stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, his advisory tracks a regression of the original Excel-preview XSS CVE-2026-44549. The same root cause — XLSX.utils.sheettohtml output rendered via @html excelHtml without DOMPurify ...

PT-2026-41171

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.3 Description Open WebUI renders user-uploaded Office files, such as Excel and DOCX, as HTML using the @html directive without applying DOMPurify sanitization. This lack of sanitization allows for Stored...