Product
Open WebUI is vulnerable to stored XSS when previewing Excel files; a crafted XLSX file can embed an XSS payload into the generated HTML, leading to arbitrary code execution when the file is previewed, allowing attackers to create weaponized chats and potentially compromise user sessions or gain RCE.