GHSA-JWF8-PV5P-VHMC Open WebUI has stored XSS in Excel file preview
Summary Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheettohtml to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. Details The...