GHSA-CQP4-QQVG-3787

Vulnerability from github – Published: 2026-05-14 20:27 – Updated: 2026-05-19 16:00
VLAI
Summary
Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order
Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Banner component due to an improper sanitization order (specifically, DOMPurify is executed before the marked library).

This vulnerability allows a compromised or malicious administrator to plant a malicious payload in the global banner. Crucially, this vector enables Privilege Escalation, as the malicious banner is rendered for all users, including the Super Admin (Primary Admin).

Consequently, the payload successfully bypasses the existing security mechanism. An attacker can leverage this to steal the Super Admin's session token

Details

Root Cause: The code attempts to sanitize the input using DOMPurify.sanitize() before parsing it with marked.parse().

DOMPurify cleans the raw input. Since Link is valid text (not HTML), it passes through DOMPurify unchanged. marked handles the text and converts it into a clickable HTML link: Link. This resulting unsafe HTML is rendered directly via {@html ...} without further checks.

src/lib/components/common/Banner.svelte (Line 103)

{@html marked.parse(DOMPurify.sanitize((banner?.content ?? '').replace(/\n/g, '<br>')))}

POC

  1. Attacker Action: Log in as a compromised Admin account and navigate to Settings > Interface > UI > Banners.
  2. Injection: Add a new banner and enter the following payload in the content field. This payload creates a link that alerts the user's session token when clicked. markdown [Click for Security Update](javascript:alert(localStorage.token))
  3. Execution: Click Save. The malicious banner is now stored and active.
  4. Victim Action (Privilege Escalation): The Primary Admin logs in and sees the banner on the main dashboard. Believing it to be a system notification, they click the link. Victim Dashboard View:

image

  1. Result: The JavaScript executes immediately within the Primary Admin's session, exposing their full-access token.

Impact

Extend permissions and damage to the entire system. You need administrator privileges to create banners, but this vulnerability is important because it can attack primary administrators and other administrators.

Destination: Other Administrators /Primary Administrators. Attack Vector: Corrupting all administrator accounts (even those with limited scope if future granular privileges exist or simply credentials are compromised) could allow an attacker to set traps for the default administrator. The result: Unlike self-XSS or simple administrator configuration changes, this allows you to capture active sessions for the most privileged users and bypass authentication controls such as MFA (because the session is already active).

Recommended Patch

Modify src/lib/components/common/Banner.svelte (Line 103):

{@html DOMPurify.sanitize(marked.parse((banner?.content ?? '').replace(/\n/g, '<br>')))}

Resolution

Fixed in v0.8.0. src/lib/components/common/Banner.svelte:103 now applies the sanitization in the correct order: DOMPurify.sanitize(marked.parse(...)). marked.parse runs first and converts [text](javascript:...) markdown into the corresponding HTML link element; DOMPurify.sanitize then strips the javascript: URL and any other dangerous attributes/elements before the result reaches {@html ...}.

Users on >= 0.8.0 are not affected.

Severity
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.7.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:27:45Z",
    "nvd_published_at": "2026-05-15T22:16:55Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA Stored Cross-Site Scripting (XSS) vulnerability exists in the Banner component due to an improper sanitization order (specifically, DOMPurify is executed before the marked library).\n\nThis vulnerability allows a compromised or malicious administrator to plant a malicious payload in the global banner. Crucially, this vector enables Privilege Escalation, as the malicious banner is rendered for all users, including the Super Admin (Primary Admin).\n\nConsequently, the payload successfully bypasses the existing security mechanism. An attacker can leverage this to steal the Super Admin\u0027s session token\n\n### Details\nRoot Cause: The code attempts to sanitize the input using DOMPurify.sanitize() before parsing it with marked.parse().\n\nDOMPurify cleans the raw input. Since [Link](javascript:alert(javascript:alert(localStorage.token))) is valid text (not HTML), it passes through DOMPurify unchanged.\nmarked handles the text and converts it into a clickable HTML link: \u003ca href=\"javascript:alert(javascript:alert(localStorage.token))\"\u003eLink\u003c/a\u003e.\nThis resulting unsafe HTML is rendered directly via {@html ...} without further checks.\n\n`src/lib/components/common/Banner.svelte` (Line 103)\n```svelte\n{@html marked.parse(DOMPurify.sanitize((banner?.content ?? \u0027\u0027).replace(/\\n/g, \u0027\u003cbr\u003e\u0027)))}\n```\n### POC\n1. **Attacker Action:** Log in as a compromised Admin account and navigate to **Settings \u003e Interface \u003e UI \u003e Banners**.\n2. **Injection:** Add a new banner and enter the following payload in the content field. This payload creates a link that alerts the user\u0027s session token when clicked.\n    ```markdown\n    [Click for Security Update](javascript:alert(localStorage.token))\n    ```\n3. **Execution:** Click **Save**. The malicious banner is now stored and active.\n4. **Victim Action (Privilege Escalation):** The **Primary Admin** logs in and sees the banner on the main dashboard. Believing it to be a system notification, they click the link.\n    **Victim Dashboard View:**\n    \n\u003cimg width=\"880\" height=\"245\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b70d7f65-ab34-4634-9e78-2a8a7eda1439\" /\u003e\n\n5. **Result:** The JavaScript executes immediately within the Primary Admin\u0027s session, exposing their full-access token.\n\n### Impact\nExtend permissions and damage to the entire system. You need administrator privileges to create banners, but this vulnerability is important because it can attack primary administrators and other administrators.\n\nDestination: Other Administrators /Primary Administrators.\nAttack Vector: Corrupting all administrator accounts (even those with limited scope if future granular privileges exist or simply credentials are compromised) could allow an attacker to set traps for the default administrator.\nThe result: Unlike self-XSS or simple administrator configuration changes, this allows you to capture active sessions for the most privileged users and bypass authentication controls such as MFA (because the session is already active).\n\n### Recommended Patch\nModify `src/lib/components/common/Banner.svelte` (Line 103):\n\n```\n{@html DOMPurify.sanitize(marked.parse((banner?.content ?? \u0027\u0027).replace(/\\n/g, \u0027\u003cbr\u003e\u0027)))}\n```\n\n## Resolution\n\nFixed in **v0.8.0**. [`src/lib/components/common/Banner.svelte:103`](https://github.com/open-webui/open-webui/blob/main/src/lib/components/common/Banner.svelte#L103) now applies the sanitization in the correct order: `DOMPurify.sanitize(marked.parse(...))`. `marked.parse` runs first and converts `[text](javascript:...)` markdown into the corresponding HTML link element; `DOMPurify.sanitize` then strips the `javascript:` URL and any other dangerous attributes/elements before the result reaches `{@html ...}`.\n\nUsers on `\u003e= 0.8.0` are not affected.",
  "id": "GHSA-cqp4-qqvg-3787",
  "modified": "2026-05-19T16:00:17Z",
  "published": "2026-05-14T20:27:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-cqp4-qqvg-3787"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45665"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.8.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.