CVE-2026-44568 Open WebUI: Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order. An admi...