CVE-2026-45314
Open WebUI: XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profile_image_url values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves this SVG as image/svg+xml without sanitization, allowing attacker-controlled script handlers (for example onload) to execute when the profile-image URL is opened in the browser. This vulnerability is fixed in 0.9.3.
| CWE | CWE-87 |
| Vendor | open-webui |
| Product | open-webui |
| Published | May 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for open-webui open-webui
Be the first to know when new unknown vulnerabilities affecting open-webui open-webui are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
open-webui / open-webui
< 0.9.3