CVE-2026-45303: Open WebUI has stored XSS via the HTML renedering view

May 14, 2026 (updated May 19, 2026)

Through the HTML rendering view, scripts can be injected and executed. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open WebUI 0.5.4.

References

github.com/advisories/GHSA-4vrc-m9ch-6m3r
github.com/open-webui/open-webui/security/advisories/GHSA-4vrc-m9ch-6m3r
nvd.nist.gov/vuln/detail/CVE-2026-45303

Code Behaviors & Features

Detect and mitigate CVE-2026-45303 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →