CVE-2026-54011: Open WebUI: Stored XSS in Mermaid Markdown Preview

June 17, 2026

Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML.

Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload was validated through the Markdown preview path, resulting in JavaScript execution in the victim’s browser under the application origin.

This is a confirmed stored XSS vulnerability reachable through normal product functionality.

References

github.com/advisories/GHSA-v8qj-hxv7-mgvv
github.com/open-webui/open-webui/security/advisories/GHSA-v8qj-hxv7-mgvv
nvd.nist.gov/vuln/detail/CVE-2026-54011

Code Behaviors & Features

Detect and mitigate CVE-2026-54011 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →