CVE-2026-45665HIGH 8.1EPSS p23.8%

CVE-2026-45665CVE-2026-45665

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Banner component due to an improper sanitization order (specifically, DOMPurify is executed before the marked library). This vulnerability allows a compromised or malicious administrator to plant a malicious payload in the global banner. Crucially, this vector enables Privilege Escalation, as the malicious banner is rendered for all users, including the Super Admin (Primary Admin). Consequently, the payload successfully bypasses the existing security mechanism. An attacker can leverage this to steal the Super Admin's session token This vulnerability is fixed in 0.8.0.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
EPSS0.32% probability of exploitation · percentile 23.8% · 2026-06-19T12:03:05Z
Published2026-05-15
Last modified2026-05-19

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/open-webui/open-webui/security/advisories/GHSA-cqp4-qqvg-3787
  2. https://github.com/open-webui/open-webui/security/advisories/GHSA-cqp4-qqvg-3787

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44549
CVE
CVE-2026-45672
CVE
CVE-2026-44553
CVE
CVE-2025-64496
CVE
CVE-2026-45400
CVE
CVE-2026-45671
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.