GHSA-r29h-37fj-x2w6: Open WebUI Has Stored Cross-Site Scripting in SVG Renderer
mediumvulnerability
security
Summary
Open WebUI has a stored cross-site scripting (XSS) vulnerability in its SVG renderer, meaning an attacker can permanently save malicious HTML and JavaScript code that runs when other users view it. An attacker can trick the SVG editor into executing arbitrary code by adding malicious payloads like `<img src=a onerror=alert(document.domain)>`, which could be used to steal sensitive data or take over user accounts when the compromised conversation is shared.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
May 14, 2026
Classification
Attack Type
Other
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Affected Packages
open-webui@< 0.6.31 (fixed: 0.6.31)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-r29h-37fj-x2w6
First tracked: May 14, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%