CVE-2026-45318

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.3

Description Open WebUI renders user-uploaded Office files, such as Excel and DOCX, as HTML using the {@html} directive without applying DOMPurify sanitization. This lack of sanitization allows for Stored Cross-Site Scripting (XSS), where a malicious document uploaded to the platform can execute arbitrary scripts in the browser of any user who previews the file. This can lead to session hijacking, account takeover, and data exfiltration of chat histories or API keys.

The issue occurs in three specific rendering paths:

The fileOfficeHtml variable in the 'FilePreview.svelte' component.
The excelHtml variable in the 'FileItemModal.svelte' component, specifically involving the XLSX.utils.sheet to html() function.
The docxHtml variable in the 'FileItemModal.svelte' component.

Recommendations Update to version 0.9.3. As a temporary workaround, restrict the upload and preview of Office files (Excel, DOCX, PPT) until the update is applied.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2026-07458

CVE-2026-45318

GHSA-HCWP-82G6-8WXC

Affected Products

Open-Webui

CVE-2026-45318

Weakness Enumeration

Related Identifiers

Affected Products

References · 10