Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse() inside {@html} with an incorrect DOMPurify application order. An admin can inject arbitrary JavaScript into the Pending User Overlay Content that executes in the browser context of any pending user who views the overlay page. This vulnerability is fixed in 0.9.0.
References
| Link | Resource |
|---|---|
| https://github.com/open-webui/open-webui/security/advisories/GHSA-fq3v-xjjx-95rc | Exploit Mitigation Vendor Advisory |
| https://github.com/open-webui/open-webui/security/advisories/GHSA-fq3v-xjjx-95rc | Exploit Mitigation Vendor Advisory |
Configurations
History
19 May 2026, 03:06
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:* | |
| References | () https://github.com/open-webui/open-webui/security/advisories/GHSA-fq3v-xjjx-95rc - Exploit, Mitigation, Vendor Advisory | |
| First Time |
Openwebui
Openwebui open Webui |
15 May 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/open-webui/open-webui/security/advisories/GHSA-fq3v-xjjx-95rc - |
15 May 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-15 20:16
Updated : 2026-05-19 03:06
NVD link : CVE-2026-44568
Mitre link : CVE-2026-44568
CVE.ORG link : CVE-2026-44568
JSON object : View
Products Affected
openwebui
- open_webui
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')