Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image — CVE-2026-45314
GitHub · GitHub · CVE-2026-45314
ID
CVE-2026-45314
CVE-2026-45314
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.4
7.4
EPSS
0.00047
0.00047
Summary
As part of our research on improving our [AI pentest](https://www.aikido.dev/attack/aipentest), we have uncovered the following issue in Open WebUI. We've manually verified and tided up the report, but you can also find the original agent finding at the bottom of this report. ### Summary The channel webhook create/update flow accepts arbitrary `profile_image_url` values, including `data:image/svg+xml;base64,...`…
Product
pip: open-webui
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.