CVE-2026-45299 MEDIUM

CVE-2026-45299: Open WebUI: Stored Cross-Site Scripting In Profile Picture

Vendor Open-Webui

Product open-webui

Weakness CWE-79 · XSS

Published May 15, 2026

Last update May 15, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, the profile_image_url field on the user profile update form accepted arbitrary data: URI values without MIME-type validation, resulting in a XSS vulnerability. This vulnerability is fixed in 0.8.0.

Key dates

02Disclosure timeline

May 15, 2026 CVE published

May 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-45299 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-36211 Adobe Experience Manager | Cross-site Scripting (Reflected XSS) (CWE-79) CVE-2025-0666 BOINC Server Stored XSS Injection in host_venue_action.php CVE-2023-6970 WP Recipe Maker <= 9.1.0 - Reflected Cross-Site Scripting via Referer CVE-2025-1406 Newpost Catch <= 1.3.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via npc Shortcode CVE-2024-0612 Content Views <= 3.6.2 - Authenticated(Administrator+) Stored Cross-Site Scripting via settings