CVE-2026-45346

5.4 MEDIUM

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline

Published: 2026-05-15 · Last updated: 2026-05-18

Severity and scoring

CVSS: 5.4 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-80

Affected products

Vendor	Product
openwebui	open_webui

Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.31, there is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation. This vulnerability is fixed in 0.6.31.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45346
[Vendor advisory]https://github.com/open-webui/open-webui/security/advisories/GHSA-r29h-37fj-x2w6
[Vendor advisory]https://github.com/open-webui/open-webui/security/advisories/GHSA-r29h-37fj-x2w6

Related CVEs

Same vendor

CVE-2026-45667 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (6.5 MEDIUM)
CVE-2026-45666 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (6.5 MEDIUM)
CVE-2026-45665 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (8.1 HIGH)
CVE-2026-45365 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (5.4 MEDIUM)
CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline (6.5 MEDIUM)

Same CWE

CVE-2026-46492 — md-fileserver allows for local viewing of markdown files in a browser (7.2 HIGH)
CVE-2026-34033 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer (5.4 MEDIUM)
CVE-2026-11511 — A weakness has been identified in Bolt CMS up to 3.7.5 (3.5 LOW)
CVE-2026-9646 — A reflected cross-site scripting issue exists in URL handling (6.1 MEDIUM)
CVE-2026-44839 — RabbitMQ is a messaging and streaming broker (4.8 MEDIUM)