GHSA-R29H-37FJ-X2W6

Vulnerability from github – Published: 2026-05-14 20:21 – Updated: 2026-05-19 15:59
VLAI
Summary
Open WebUI Has Stored Cross-Site Scripting in SVG Renderer
Details

Summary

There is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation.

Details

It is possible permanently save any HTML/JavaScript code in the application, which can be then executed in the context of the application domain. This behaviour can be used to extract and steal sensitive data from the application, manipulate DOM tree or being used in complex client-side attacks.

Detailed step-by-step instruction provided below. Please keep me updated about assigned CVE identifier. I'd like to be credited as: Jakub Żoczek [Securitum]

PoC

Steps to reproduce:

To reproduce this vulnerability you need to:

  1. Login to Open WebUI
  2. Start new conversation / thread
  3. Use prompt: "Hey. Can you draw me a green circle using SVG ?"
  4. SVG image should be generated.
  5. Now it's possible to edit the code by simply clicking on it and adding additional code. Add payload <img src=a onerror=alert(document.domain)>
  6. The whole code should look like this:
<svg width="100" height="100" xmlns="http://www.w3.org/2000/svg">
  <circle cx="50" cy="50" r="40" fill="green"/>
</svg><img src="a" onerror="alert(document.domain)">ok</img>

AI XSS1

  1. Now clicking "Save", the new image should get rendered, and malicious code - executed (by popping alert).

AI XSS2

Such thread could be then shared and sent to other users.

Impact

Cross-Site Scripting allows attacker to execute malicious code in context of victim's browser. This way it could be used in malicious client-side attack achieving different things, depends on attacker's goal. Such thread with rendered SVG could be shared to other user (or administrator) and gain sensitive data or even takeover someone's account.

Severity
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45346"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:21:51Z",
    "nvd_published_at": "2026-05-15T22:16:55Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThere is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation. \n\n### Details\n\nIt is possible permanently save any HTML/JavaScript code in the application, which can be then executed in the context of the application domain. This behaviour can be used to extract and steal sensitive data from the application, manipulate DOM tree or being used in complex client-side attacks. \n\nDetailed step-by-step instruction provided below. Please keep me updated about assigned CVE identifier. I\u0027d like to be credited as: **Jakub \u017boczek [[Securitum](https://www.securitum.com/)]**\n\n### PoC\n\nSteps to reproduce:\n\nTo reproduce this vulnerability you need to:\n\n1. Login to Open WebUI \n2. Start new conversation / thread\n3. Use prompt: \"Hey. Can you draw me a green circle using SVG ?\"\n4. SVG image should be generated. \n5. Now it\u0027s possible to edit the code by simply clicking on it and adding additional code. Add payload `\u003cimg src=a onerror=alert(document.domain)\u003e`\n6. The whole code should look like this:\n\n```\n\u003csvg width=\"100\" height=\"100\" xmlns=\"http://www.w3.org/2000/svg\"\u003e\n  \u003ccircle cx=\"50\" cy=\"50\" r=\"40\" fill=\"green\"/\u003e\n\u003c/svg\u003e\u003cimg src=\"a\" onerror=\"alert(document.domain)\"\u003eok\u003c/img\u003e\n```\n\n\u003cimg width=\"1249\" alt=\"AI XSS1\" src=\"https://github.com/user-attachments/assets/75167880-79ac-4510-9743-f99bf81a215d\" /\u003e\n\n7. Now clicking \"Save\", the new image should get rendered, and malicious code - executed (by popping alert). \n\n\u003cimg width=\"527\" alt=\"AI XSS2\" src=\"https://github.com/user-attachments/assets/24d4e572-97f0-438f-993d-08e1d421b349\" /\u003e\n\nSuch thread could be then shared and sent to other users. \n\n### Impact\nCross-Site Scripting allows attacker to execute malicious code in context of victim\u0027s browser. This way it could be used in malicious client-side attack achieving different things, depends on attacker\u0027s goal. Such thread with rendered SVG could be shared to other user (or administrator) and gain sensitive data or even takeover someone\u0027s account.",
  "id": "GHSA-r29h-37fj-x2w6",
  "modified": "2026-05-19T15:59:41Z",
  "published": "2026-05-14T20:21:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-r29h-37fj-x2w6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45346"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Open WebUI Has Stored Cross-Site Scripting in SVG Renderer"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.