CVE-2026-44549HIGH 8.7EPSS p23.4%

CVE-2026-44549CVE-2026-44549

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheet_to_html to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. This vulnerability is fixed in 0.8.0.

Scoring

CVSS 3.18.7 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS0.32% probability of exploitation · percentile 23.4% · 2026-06-18T12:00:27Z
Published2026-05-15
Last modified2026-05-19

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/open-webui/open-webui/security/advisories/GHSA-jwf8-pv5p-vhmc
  2. https://github.com/open-webui/open-webui/security/advisories/GHSA-jwf8-pv5p-vhmc

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44566
CVE
CVE-2026-45402
CVE
CVE-2026-45665
CVE
CVE-2026-45400
CVE
CVE-2026-44565
CVE
CVE-2026-45672
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.