cvedb.io
CVE-2026-44721
HIGH · CVSS 7.3
EPSS exploitation probability: 0%
Published 2026-05-15T21:16:36.370 · Last modified 2026-06-17T10:51:16.610

Summary

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting (XSS) vulnerability that allows any authenticated user with model creation permission (workspace.models) to execute arbitrary JavaScript in the browser of any other user (including admins) who views the malicious model in the chat UI. This vulnerability is fixed in 0.9.0.

Affected products

openwebui — open_webui

Does this affect you?

Add your gear to cvedb and we'll alert you only when openwebui ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.