Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation. This vulnerability is fixed in 0.6.31.
Published: 2026-05-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open WebUI contains a flaw in its SVG rendering engine that allows a malicious SVG file to be stored and later displayed to users. When an SVG containing embedded script is rendered, the script runs in the victim’s browser context. This can enable an attacker to execute arbitrary client‑side code against users who view the SVG. The weakness arises from a lack of proper input validation and output encoding, as identified by CWE‑80.

Affected Systems

All instances of the open‑webui application with a version earlier than 0.6.31. Administrators should confirm the installed version if the vulnerability may be present.

Risk and Exploitability

The CVSS score of 5.1 denotes medium severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to supply a malicious SVG, potentially via an upload or other input mechanism. Once the malicious SVG is rendered, the injected script executes within the context of legitimate users who view it, making the issue exploitable in shared or public deployments. Based on the available information, the risk is moderate, and timely remediation is advisable.

Generated by OpenCVE AI on May 15, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open WebUI to version 0.6.31 or newer to apply the fix to the SVG renderer.
  • If an upgrade cannot be performed immediately, temporarily prevent the upload or rendering of SVG files until the update is available.
  • For an additional temporary layer of protection, consider deploying a content‑security‑policy that restricts script execution on the application pages.

Generated by OpenCVE AI on May 15, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r29h-37fj-x2w6 Open WebUI Has Stored Cross-Site Scripting in SVG Renderer
History

Fri, 15 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-webui
Open-webui open-webui
Vendors & Products Open-webui
Open-webui open-webui

Fri, 15 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation. This vulnerability is fixed in 0.6.31.
Title Open WebUI: Stored Cross-Site Scripting in SVG Renderer
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Open-webui Open-webui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T21:15:08.055Z

Reserved: 2026-05-11T21:40:08.177Z

Link: CVE-2026-45346

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T22:16:55.063

Modified: 2026-05-15T22:16:55.063

Link: CVE-2026-45346

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T23:00:14Z

Weaknesses