GHSA-v8qj-hxv7-mgvvHighCVSS 8.7

Open WebUI: Stored XSS in Mermaid Markdown Preview

Published
June 17, 2026
Last Modified
June 17, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML.

Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload was validated through the Markdown preview path, resulting in JavaScript execution in the victim’s browser under the application origin.

This is a confirmed stored XSS vulnerability reachable through normal product functionality.

Affected Version

  • main
  • Reproduced on v0.8.12

Affected Code

Mermaid is initialized in permissive mode:

https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/utils/index.ts#L1698 The file preview path renders Mermaid output and injects the returned SVG into the DOM:

https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/FileNav/FilePreview.svelte#L133

Impact

A successful exploit allows JavaScript execution in the victim’s browser under the Open WebUI origin when a malicious Markdown file is opened in the preview panel.

PoC

A malicious .md file containing the follwowing contents can be used to trigger the bug:

```mermaid
flowchart LR
  A[click me]
  click A href "javascript:alert(document.domain)" "x"
```

Steps to reproduce: 1- Create a new chat 2- Enable Code Interpreter and browse and upload the file with .md extension. 3- Clicking on the file, and clicking click me should pop an alert

Remediation

Since mermaid has DOMPurify as a built-in, it is recommended to use the strict mode instead of loose.

🎯 Affected products1

  • pip/open-webui:<= 0.9.5

🔗 References (2)