CVE Catalog

CVE-2026-54011

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

Open WebUI prior to version 0.9.6 renders Mermaid blocks from Markdown files in the file preview panel, allowing for the injection of malicious JavaScript code into the DOM. Due to the securityLevel: 'loose' setting, attacker-controlled content can be rendered unsafely.

Risk Assessment

An attacker could exploit this vulnerability to execute malicious JavaScript in victims' browsers, potentially leading to data theft or session hijacking.

Recommendation

It is recommended to update Open WebUI to version 0.9.6 or later to mitigate this vulnerability and reduce the risk of unauthorized code execution.

Original NVD description (English source)

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6,Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload was validated through the Markdown preview path, resulting in JavaScript execution in the victim’s browser under the application origin. This vulnerability is fixed in 0.9.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS