CVE-2026-44568: Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order

An admin can inject arbitrary JavaScript into the Pending User Overlay Content that executes in the browser context of any pending user who views the overlay page. This could be used to:

• Session hijacking: Steal pending users’ JWT tokens from cookies/localStorage
• Credential theft: Replace the pending overlay with a fake login form
• Phishing: Redirect pending users to malicious sites

While this requires admin privileges to set the overlay content, it enables an admin to attack pending users (who have not yet been granted full access). In multi-admin deployments, a compromised admin account could use this to escalate attacks.