CVE-2026-45303 - Vulnerability Details

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an iFrame with the allow-scripts allow-forms allow-same-origin sandbox directive. This means that the content is placed in a sandbox but with permission to execute scripts and access the parent’s data (e.g., local storage). As a result, only a few functions are restricted (e.g., displaying an alert box), but in effect, the sandbox attribute is largely nullified. This vulnerability is fixed in 0.6.5.

Published: 2026-05-15

Score: 7.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The defect permits arbitrary script injection into the HTML rendering view of Open WebUI. The system stores the malicious HTML in a chat’s content and later renders it inside an iframe whose sandbox directive includes allow‑scripts, allow‑forms, and allow‑same‑origin, effectively granting the injected code execution and parent‑context access. This stored XSS can exfiltrate information stored in the parent page’s local storage, modify DOM content, or execute other malicious actions, representing a significant confidentiality and integrity risk.

Affected Systems

Open WebUI (open-webui:open-webui) versions preceding 0.6.5 are vulnerable. The issue was addressed in release 0.6.5 and later.

Risk and Exploitability

The CVSS score of 7.7 classifies this as a high‑severity flaw. With no EPSS data available and no listing in CISA’s KEV catalog, exploitation likelihood is undetermined but the vulnerability can be leveraged by any entity that can cause malicious content to be stored within a chat. The exploit path involves injecting a payload into a chat, storing it, and then triggering the rendering view to execute the payload with elevated privileges owing to the sandbox’s allow‑scripts flag. Once executed, the attacker can manipulate the parent context, including reading local storage data, thereby compromising the application’s integrity and potentially its users’ sensitive data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

open-webui

affected

Version	Status	Constraints
`< 0.6.5`	affected	—

No data.

Vendor Product Confidence Versions

Open-webui

100%

Version	Status	Scheme	Platform
`[0,0.6.5)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Open WebUI to version 0.6.5 or later to apply the vendor’s patch.
Temporarily disable the HTML rendering view or remove the allow‑scripts, allow‑forms, and allow‑same‑origin directives from the iframe until a patch is applied.
Sanitize and escape all user‑supplied HTML content before storage to prevent script injection, in line with CWE‑79 countermeasures.

Generated by OpenCVE AI on May 15, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4vrc-m9ch-6m3r	Open WebUI has stored XSS via the HTML renedering view

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/open-webui/open-webui/security/advisories/GHSA-4vrc-m9ch-6m3r

History

Fri, 15 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Open-webui Open-webui open-webui
Vendors & Products		Open-webui Open-webui open-webui

Fri, 15 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an iFrame with the allow-scripts allow-forms allow-same-origin sandbox directive. This means that the content is placed in a sandbox but with permission to execute scripts and access the parent’s data (e.g., local storage). As a result, only a few functions are restricted (e.g., displaying an alert box), but in effect, the sandbox attribute is largely nullified. This vulnerability is fixed in 0.6.5.
Title		Open WebUI: Stored XSS via the HTML renedering view
Weaknesses		CWE-79
References		https://github.com/open-webui/open-webui/security/advisories/GHSA-4vrc-m9ch-6m3r
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Open-webui Open-webui

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-15T21:21:43.000Z

Updated: 2026-05-15T21:21:43.000Z

Reserved: 2026-05-11T20:14:43.202Z

Link: CVE-2026-45303

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-15T22:16:53.977

Modified: 2026-05-15T22:16:53.977

Link: CVE-2026-45303

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-15T22:30:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object