Skip to content

Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order

High severity GitHub Reviewed Published May 11, 2026 in open-webui/open-webui • Updated May 15, 2026

Package

npm open-webui (npm)

Affected versions

<= 0.7.2

Patched versions

0.8.0

Description

Summary

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Banner component due to an improper sanitization order (specifically, DOMPurify is executed before the marked library).

This vulnerability allows a compromised or malicious administrator to plant a malicious payload in the global banner. Crucially, this vector enables Privilege Escalation, as the malicious banner is rendered for all users, including the Super Admin (Primary Admin).

Consequently, the payload successfully bypasses the existing security mechanism. An attacker can leverage this to steal the Super Admin's session token

Details

Root Cause: The code attempts to sanitize the input using DOMPurify.sanitize() before parsing it with marked.parse().

DOMPurify cleans the raw input. Since Link is valid text (not HTML), it passes through DOMPurify unchanged.
marked handles the text and converts it into a clickable HTML link: Link.
This resulting unsafe HTML is rendered directly via {@html ...} without further checks.

src/lib/components/common/Banner.svelte (Line 103)

{@html marked.parse(DOMPurify.sanitize((banner?.content ?? '').replace(/\n/g, '<br>')))}

POC

  1. Attacker Action: Log in as a compromised Admin account and navigate to Settings > Interface > UI > Banners.
  2. Injection: Add a new banner and enter the following payload in the content field. This payload creates a link that alerts the user's session token when clicked. 
    [Click for Security Update](javascript:alert(localStorage.token))
  3. Execution: Click Save. The malicious banner is now stored and active.
  4. Victim Action (Privilege Escalation): The Primary Admin logs in and sees the banner on the main dashboard. Believing it to be a system notification, they click the link.
    Victim Dashboard View:

image

  1. Result: The JavaScript executes immediately within the Primary Admin's session, exposing their full-access token.

Impact

Extend permissions and damage to the entire system. You need administrator privileges to create banners, but this vulnerability is important because it can attack primary administrators and other administrators.

Destination: Other Administrators /Primary Administrators.
Attack Vector: Corrupting all administrator accounts (even those with limited scope if future granular privileges exist or simply credentials are compromised) could allow an attacker to set traps for the default administrator.
The result: Unlike self-XSS or simple administrator configuration changes, this allows you to capture active sessions for the most privileged users and bypass authentication controls such as MFA (because the session is already active).

Recommended Patch

Modify src/lib/components/common/Banner.svelte (Line 103):

{@html DOMPurify.sanitize(marked.parse((banner?.content ?? '').replace(/\n/g, '<br>')))}

Resolution

Fixed in v0.8.0. src/lib/components/common/Banner.svelte:103 now applies the sanitization in the correct order: DOMPurify.sanitize(marked.parse(...)). marked.parse runs first and converts [text](javascript:...) markdown into the corresponding HTML link element; DOMPurify.sanitize then strips the javascript: URL and any other dangerous attributes/elements before the result reaches {@html ...}.

Users on >= 0.8.0 are not affected.

References

@doge-woof doge-woof published to open-webui/open-webui May 11, 2026
Published to the GitHub Advisory Database May 14, 2026
Reviewed May 14, 2026
Last updated May 15, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

EPSS score

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

CVE ID

CVE-2026-45665

GHSA ID

GHSA-cqp4-qqvg-3787

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.