Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with a securityLevel: 'loose', attacker‑controlled Mermaid content can be rendered unsafely in this flow. A working payload was validated through the Markdown preview path, resulting in JavaScript execution in the victim’s browser under the application origin. This vulnerability is fixed in 0.9.6.

The vulnerability affects the open‑webui:open‑webui product, specifically all releases earlier than 0.9.6. Users running any prior version of Open WebUI should be aware that the Mermaid Markdown preview component can execute arbitrary JavaScript supplied by a file owner or editor.

The flaw carries a CVSS score of 8.7, indicating high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, but the exploitation path is straightforward: an attacker must supply a Markdown file containing crafted Mermaid content and then trigger its preview. Since the code executes in the context of the application, any user who views the preview will be affected, making the risk significant for shared or public deployments. The lack of server‑side sanitization and the use of innerHTML make the vulnerability highly exploitable for attackers with access to upload or edit files.