CVE-2026-45665

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.0

Description A Stored Cross-Site Scripting (XSS) issue exists in the Banner component due to an improper sanitization order where DOMPurify.sanitize() is executed before marked.parse(). This allows a malicious administrator to plant a payload in the global banner that bypasses security mechanisms. Because the banner is rendered for all users, including the Super Admin, this can lead to privilege escalation by stealing the Super Admin's session token. The flaw is located in the src/lib/components/common/Banner.svelte file.

Recommendations Update to version 0.8.0. As a temporary workaround, restrict administrator access to the Banner settings in the interface to minimize the risk of payload injection.