Sveltia CMS: Stored XSS in entry summary rendering via entity-decoded HTML

Impact A stored cross-site scripting XSS vulnerability affected entry summary rendering in Sveltia CMS. Entry summaries that allowed limited Markdown were parsed, sanitized, and then HTML entities were decoded. This order allowed specially crafted entity-encoded HTML, such as encoded tags or even...

CVE-2026-45665 Open WebUI: Stored XSS in Banner Component via Improper Sanitization Order

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting XSS vulnerability exists in the Banner component due to an improper sanitization order specifically, DOMPurify is executed before the marked library. Th...

CVE-2026-45665

Open WebUI contains a Stored XSS in the Banner component due to incorrect sanitization order (DOMPurify before marked.parse). The vulnerability allows a compromised administrator to store a payload in the global banner that is rendered for all users, including the Super Admin, enabling privilege ...

CVE-2026-45665 Open WebUI: Stored XSS in Banner Component via Improper Sanitization Order

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting XSS vulnerability exists in the Banner component due to an improper sanitization order specifically, DOMPurify is executed before the marked library. Th...

GHSA-CQP4-QQVG-3787 Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Banner component due to an improper sanitization order specifically, DOMPurify is executed before the marked library. This vulnerability allows a compromised or malicious administrator to plant a malicious payload in the global...

Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Banner component due to an improper sanitization order specifically, DOMPurify is executed before the marked library. This vulnerability allows a compromised or malicious administrator to plant a malicious payload in the global...

NPM: Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order

NPM: Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order vulnerability discovered by ? in WordPress Npm open-webui versions = 0.7.2...

CVE-2026-41932 Vvveb < 1.0.8.3 Stored XSS via Signup Controller

Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser controller copies raw POST username values into the displayname field before sanitization occurs. Attackers can submit HTML and script markup in the username field durin...

EUVD-2026-30296

Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser controller copies raw POST username values into the displayname field before sanitization occurs. Attackers can submit HTML and script markup in the username field durin...

CVE-2026-41932

CVE-2026-41932 affects Vvveb prior to 1.0.8.3. The Signup::addUser() controller copies raw POST username values into the display_name field before sanitization, so HTML/script submitted in the username during signup is stripped in the username column but stored verbatim in display_name. When disp...

PT-2026-41198

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.0 Description A Stored Cross-Site Scripting XSS issue exists in the Banner component due to an improper sanitization order where DOMPurify.sanitize is executed before marked.parse. This allows a malicious...

CVE-2026-33683

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function...

EUVD-2026-14494

AVideo vulnerable to Stored XSS via htmlentitydecode Reversing xssesc Sanitization in Channel About Field...

CVE-2026-33683 AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function...

CVE-2026-33683

WWBN AVideo (open source video platform) versions up to and including 26.0 are affected by a sanitization order-of-operations flaw in the user profile “about” field. The vulnerability enables any registered user to inject arbitrary JavaScript that runs when other users visit the attacker’s channe...

CVE-2026-33683 AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function...