CVE-2026-44549

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.0

Description Excel file attachments are previewed unsafely. A crafted XLSX file can cause the sheet to html() function to embed a Cross-Site Scripting (XSS) payload into the generated HTML. This content is then added to the Document Object Model (DOM) without sanitization via @html, allowing the payload to execute. The issue stems from a lack of input validation or sanitization for the HTML generated during the conversion of XLSX documents for preview, specifically involving the excelHtml variable.

Recommendations Update to version 0.8.0.