Description
A flaw has been found in wandb OpenUI up to 1.0. This affects the function create_share/get_share of the file backend/openui/server.py of the component HTMLAnnotator Component. Executing a manipulation of the argument ID can lead to HTML injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTML injection (Cross‑Site Scripting)
Action: Patch Immediately
AI Analysis

Impact

A flaw exists in wandb's OpenUI component, specifically within the create_share and get_share routines located in backend/openui/server.py of the HTMLAnnotator module. By manipulating the value supplied for the ID parameter, an attacker can inject arbitrary HTML code that is rendered by the user interface. Because the injection can include script elements, the vulnerability amounts to cross‑site scripting, potentially allowing credential theft, defacement, or remote code execution from the victim’s browser. The weakness is identified as CWE‑79 and includes characteristics of code injection. The description confirms that the attack may be performed remotely and that an exploit has already been published.

Affected Systems

The vulnerability affects all releases of wandb OpenUI up through version 1.0. No mitigations have been provided by the vendor, and the component involved is the OpenUI server module. Systems running any sub‑1.0 build are potentially exposed to this flaw.

Risk and Exploitability

The measured severity is in the medium range as indicated by a CVSS score of 5.3. An exploit has already been available, and the flaw can be triggered over the internet. The attack requires only a crafted request to the share endpoint, with no local privilege escalation needed. Given that the endpoint is reachable from remote networks, the risk to deployed services is significant and the likelihood of exploitation is realistic.

Generated by OpenCVE AI on March 28, 2026 at 06:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update wandb OpenUI to the newest released version that removes the flaw.
  • If upgrading is not possible, block external access to the create_share and get_share URLs or place the service behind an internal firewall.
  • Disable the share functionality if it is not required for your deployment.
  • Enforce strict validation on the ID parameter and encode output to neutralize injected content until a patch is available.

Generated by OpenCVE AI on March 28, 2026 at 06:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in wandb OpenUI up to 1.0. This affects the function create_share/get_share of the file backend/openui/server.py of the component HTMLAnnotator Component. Executing a manipulation of the argument ID can lead to HTML injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title wandb OpenUI HTMLAnnotator server.py get_share HTML injection
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-28T06:37:17.315Z

Reserved: 2026-03-27T13:47:48.202Z

Link: CVE-2026-4992

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T23:17:19.567

Modified: 2026-03-27T23:17:19.567

Link: CVE-2026-4992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:29:30Z

Weaknesses