{"data":{"id":"c20a4c42-169b-43a2-bffb-0863a4bfd895","title":"GHSA-r29h-37fj-x2w6: Open WebUI Has Stored Cross-Site Scripting in SVG Renderer","summary":"Open WebUI has a stored cross-site scripting (XSS) vulnerability in its SVG renderer, meaning an attacker can permanently save malicious HTML and JavaScript code that runs when other users view it. An attacker can trick the SVG editor into executing arbitrary code by adding malicious payloads like `<img src=a onerror=alert(document.domain)>`, which could be used to steal sensitive data or take over user accounts when the compromised conversation is shared.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-r29h-37fj-x2w6","publishedAt":"2026-05-14T20:21:51.000Z","cveId":"CVE-2026-45346","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":["open-webui@< 0.6.31 (fixed: 0.6.31)"],"affectedVendors":[],"affectedVendorsRaw":["Open WebUI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-14T20:21:51.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}