Open WebUI: Stored XSS in Mermaid Markdown Preview

When

2026-06-17 14:14 UTC

Where

Global (internet)

Category

cyber_advisory · pip

## Summary Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using `innerHTML`. Because Mermaid is configured with `securityLevel: 'loose'`, attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload was validated through the Markdown preview path, resulting in JavaScript execution in the victim’s browser under the application origin. This is a confirmed stored XSS vulnerability reachable through normal product functionality. ## Affected Version - `main` - Reproduced on `v0.8.12` ## Affected Code Mermaid is initialized in permissive mode: https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/utils/index.ts#L1698 The file preview path renders Mermaid output and injects the returned SVG into the DOM: https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/FileNav/FilePreview.svelte#L133 ## Impact A successful exploit allows JavaScript execution in the victim’s browser under the Open WebUI origin when a malicious Markdown file is opened in the preview panel. ## PoC A malicious `.md` file containing the follwowing contents can be used to trigger the bug: ```` ```mermaid flowchart LR A[click me] click A href "javascript:alert(document.domain)" "x" ``` ```` Steps to reproduce: 1- Create a new chat 2- Enable Code Interpreter and browse and upload the file with `.md` extension. <img width="331" height="258" alt="image" src="https://github.com/user-attachments/assets/bce2b754-56d1-4da1-90a9-22bcb93269f2" /> 3- Clicking on the file, and clicking `click me` should pop an alert <img width="1103" height="485" alt="image" src="https://github.com/user-attachments/assets/18754486-799b-434e-a2fc-dd7c09956a29" /> ## Remediation Since `mermaid` has `DOMPurify` as a built-in, it is recommended to use the `strict` mode instead of `loose`.

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-17 14:14 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

• Open WebUI: Stored XSS to Account Takeover via Model Profile Images
  Shared actorsInvolves pip/open-webui, pip/open-webui· 80% match
• Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion
  Shared actorsInvolves pip/open-webui, pip/open-webui· 80% match
• Open WebUI: Forged chat-file link allows cross-user file read and deletion
  Shared actorsInvolves pip/open-webui, pip/open-webui· 80% match
• Open WebUI: Cross-origin postMessage confirmation bypass via action:submit
  Shared actorsInvolves pip/open-webui, pip/open-webui· 80% match
• Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar
  Shared actorsInvolves pip/open-webui, pip/open-webui· 80% match
• Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion
  Shared actorsInvolves pip/open-webui, pip/open-webui· 80% match
• Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE…
  Shared actorsInvolves pip/open-webui, pip/open-webui· 80% match
• Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}
  Shared actorsInvolves pip/open-webui, pip/open-webui· 80% match

← Back to the live map