Product
Open WebUI before version 0.9.5 contains a high-severity stored cross-site scripting (XSS) vulnerability, CVE-2026-56398, in its OAuth authentication flow that allows an authenticated attacker to bypass profile image validation by uploading malicious SVG files, leading to script execution, authentication token theft, and ultimately account takeover for other authenticated users.