Open WebUI has Stored Cross-Site Scripting In Profile Picture — CVE-2026-45299
GitHub · GitHub · CVE-2026-45299
ID
CVE-2026-45299
CVE-2026-45299
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
5.4
5.4
EPSS
0.00029
0.00029
Summary
## Summary The `profile_image_url` field on the user profile update form accepted arbitrary `data:` URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters: 1. **`data:text/html;base64,...` in a new browser tab** (raresvis, 2025-04-17) — when a victim right-clicks a user's profile picture and chooses "Open image in new tab", the browser navigates to…
Product
pip: open-webui
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.