CVE-2026-54011

Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML.

Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload was validated through the Markdown preview path, resulting in JavaScript execution in the victim’s browser under the application origin.

This is a confirmed stored XSS vulnerability reachable through normal product functionality.

Mermaid is initialized in permissive mode:

https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/utils/index.ts#L1698 The file preview path renders Mermaid output and injects the returned SVG into the DOM:

A successful exploit allows JavaScript execution in the victim’s browser under the Open WebUI origin when a malicious Markdown file is opened in the preview panel.

A malicious .md file containing the follwowing contents can be used to trigger the bug:

```mermaid
flowchart LR
 A[click me]
 click A href "javascript:alert(document.domain)" "x"
```

Steps to reproduce: 1- Create a new chat 2- Enable Code Interpreter and browse and upload the file with .md extension. 3- Clicking on the file, and clicking click me should pop an alert

Since mermaid has DOMPurify as a built-in, it is recommended to use the strict mode instead of loose.