CVE-2026-45346

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.31

Description A Cross-Site Scripting issue exists in the SVG renderer implementation. This allows the permanent storage of HTML or JavaScript code within the application, which is then executed in the context of the application domain. An attacker can use this to extract sensitive data, manipulate the DOM tree, or perform complex client-side attacks, potentially leading to account takeover if a malicious thread is shared with other users or administrators.

Recommendations Update to version 0.6.31.