{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/open-webui--0.7.2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["open-webui (\u003c= 0.7.2)"],"_cs_severities":["high"],"_cs_tags":["xss","stored-xss","open-webui"],"_cs_type":"threat","_cs_vendors":["Open WebUI"],"content_html":"\u003cp\u003eOpen WebUI is susceptible to a stored cross-site scripting (XSS) vulnerability due to unsafe handling of Excel file previews. Specifically, a maliciously crafted XLSX file can inject arbitrary HTML and JavaScript code into the generated preview, which is then executed in the user\u0026rsquo;s browser. This is due to the \u003ccode\u003esheet_to_html\u003c/code\u003e function from the sheetjs library not sanitizing the HTML output. An attacker can exploit this vulnerability by crafting a weaponized chat with a malicious XLSX attachment, which when previewed by a victim, triggers the XSS payload. Versions of Open WebUI up to and including 0.7.2 are affected. Successful exploitation could lead to session hijacking and potentially remote code execution on the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious XLSX file containing an XSS payload within a cell using a tool like xlsxwriter.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads this malicious XLSX file as an attachment in Open WebUI.\u003c/li\u003e\n\u003cli\u003eThe attacker shares the chat or sends the file directly to the victim.\u003c/li\u003e\n\u003cli\u003eThe victim opens the chat containing the malicious attachment.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the attachment to open the file modal.\u003c/li\u003e\n\u003cli\u003eThe victim selects the preview tab in the file modal, triggering the XLSX to HTML conversion.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003esheet_to_html\u003c/code\u003e function processes the XLSX file and embeds the malicious XSS payload into the generated HTML.\u003c/li\u003e\n\u003cli\u003eThe generated HTML, now containing the XSS payload, is injected into the DOM unsanitized, causing the payload to execute. The payload can then perform actions such as stealing session cookies or executing arbitrary JavaScript code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim\u0026rsquo;s browser within the Open WebUI application. This can lead to session hijacking, where the attacker gains control of the victim\u0026rsquo;s account. Furthermore, administrators are at risk of remote code execution (RCE) on the server by chaining this vulnerability with other vulnerabilities in Open WebUI. The impact affects all users of Open WebUI up to version 0.7.2 who interact with shared files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-provided patch or upgrade to a version of Open WebUI greater than 0.7.2.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect attempts to exploit CVE-2026-44549 by detecting malicious script tags in the response HTML.\u003c/li\u003e\n\u003cli\u003eImplement input sanitization using DOMPurify or a similar library to sanitize the HTML generated from XLSX files before rendering it in the DOM, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening attachments from untrusted sources, even within trusted applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-09T12:00:00Z","date_published":"2026-05-09T12:00:00Z","id":"/briefs/2026-05-open-webui-xss/","summary":"Open WebUI is vulnerable to stored XSS when previewing Excel files; a crafted XLSX file can embed an XSS payload into the generated HTML, leading to arbitrary code execution when the file is previewed, allowing attackers to create weaponized chats and potentially compromise user sessions or gain RCE.","title":"Open WebUI Stored XSS Vulnerability in Excel File Preview","url":"https://feed.craftedsignal.io/briefs/2026-05-open-webui-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Open-Webui (\u003c= 0.7.2)","version":"https://jsonfeed.org/version/1.1"}