GHSA-jwf8-pv5p-vhmc

Source

https://github.com/advisories/GHSA-jwf8-pv5p-vhmc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-jwf8-pv5p-vhmc/GHSA-jwf8-pv5p-vhmc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jwf8-pv5p-vhmc

Aliases

CVE-2026-44549

Published

2026-05-08T22:26:17Z

Modified

2026-05-08T22:34:51.101717Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Open WebUI has stored XSS in Excel file preview

Details

Summary

Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheettohtml to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger.

Details

The function used to convert XLSX documents to HTML for preview does not perform any input validation or sanitisation for the generated HTML https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L120-L133 XLSX attachments are processed by this function, converted to HTML with XLSX.utils.sheet_to_html before ultimately being assigned to the variable excelHtml. Later there is logic that causes this to be assigned directly to the DOM when the preview tab is selected. https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L358-L400

PoC

A python script to generate a payload file is as follows:

import xlsxwriter                                                                                                                

payload = '<img src=x onerror="alert(\'XSS Triggered by XLSX file\')">'                                                          

workbook = xlsxwriter.Workbook('xss_payload.xlsx')                                                                           
worksheet = workbook.add_worksheet()                                                                                         

payload_format = workbook.add_format()                                                                                       

worksheet.write_rich_string('A1',                                                                                            
    'This cell contains a hidden payload: ',                                                                                 
    payload_format, payload                                                                                                  
)                                                                                                                            

worksheet.write('A2', 'This is a safe cell.')                                                                                
worksheet.write('B1', 'Column B')                                                                                            

workbook.close()

Upload the generated file as an attachment to a chat, open the file modal, and click preview. Observe the XSS triggers. <img width="2444" height="1386" alt="image" src="https://github.com/user-attachments/assets/8400efb0-ea6f-4878-abdb-4c2fe529241f" /> This same process can be triggered in shared chats, allowing the payload to be distributed to victims. <img width="2386" height="1646" alt="image" src="https://github.com/user-attachments/assets/d0eda49c-8fcf-4fc4-bbb0-c8951b0369c3" />

Impact

Any user can create a weaponised chat that can be shared and subsequently used to target other users.

Low privilege users are at risk of having their session taken over by a payload that reads their token from local storage and exfiltrates it to an attacker controlled server.

Admins are at risk of exposing the server to RCE via same chain described in GHSA-w7xj-8fx7-wfch.

Caveats

The file attachment in the shared chat must be opened and previewed to trigger the vulnerability.

Recommendation

Sanitise the generated HTML with DOMPurify before assigning it to the DOM.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T22:26:17Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

PyPI / open-webui

Package

Name: open-webui; View open source insights on deps.dev
Purl: pkg:pypi/open-webui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.8.0

Affected versions

0.*

0.1.124

0.1.125

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10

0.3.12

0.3.13

0.3.14

0.3.15

0.3.16

0.3.17.dev2

0.3.17.dev3

0.3.17.dev4

0.3.17.dev5

0.3.17

0.3.18

0.3.19

0.3.20

0.3.21

0.3.22

0.3.23

0.3.24

0.3.25

0.3.26

0.3.27.dev1

0.3.27.dev2

0.3.27.dev3

0.3.27

0.3.28

0.3.29

0.3.30.dev1

0.3.30.dev2

0.3.30

0.3.31.dev1

0.3.31

0.3.32

0.3.33.dev1

0.3.33

0.3.34

0.3.35

0.4.0.dev1

0.4.0.dev2

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6.dev1

0.4.6

0.4.7

0.4.8

0.5.0.dev1

0.5.0.dev2

0.5.0

0.5.1

0.5.2

0.5.3.dev1

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.5.9

0.5.10

0.5.11

0.5.12

0.5.13

0.5.14

0.5.15

0.5.16

0.5.17

0.5.18

0.5.19

0.5.20

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6.dev1

0.6.6

0.6.7

0.6.8

0.6.9

0.6.10

0.6.11

0.6.12

0.6.13

0.6.14

0.6.15

0.6.16

0.6.18

0.6.19

0.6.20

0.6.21

0.6.22

0.6.23

0.6.24

0.6.25

0.6.26.dev1

0.6.26

0.6.27

0.6.28

0.6.29

0.6.30

0.6.31

0.6.32

0.6.33

0.6.34

0.6.35

0.6.36

0.6.37

0.6.38

0.6.39

0.6.40

0.6.41

0.6.42

0.6.43

0.7.0

0.7.1

0.7.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-jwf8-pv5p-vhmc/GHSA-jwf8-pv5p-vhmc.json"

last_known_affected_version_range

"<= 0.7.2"