HIGH SeverityCVSS 3.17.3CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CVE-2026-44721

Last updated May 15, 2026 · Published May 15, 2026

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspace.models) to execute arbitrary JavaScript in the browser of any other user (including admins) who views the malicious model in the chat UI. This vulnerability is fixed in 0.9.0.

Affected products

1 listed

open-webui:open-webui

Mappings

CWE

CWE-79

CAPEC

None listed.

Research

Cross-Site Scripting (XSS)Covers reflected, stored, and DOM based XSS risks and why they remain high impact. Provides prevention…

Training

XSS in React, Vue and Server ComponentsCross-site scripting in modern component frameworks and how to prevent it.

CVE-2026-44721

Description

Affected products

Mappings

Related