PYSEC-2026-2724
Vulnerability from pysec - Published: 2026-07-13 15:15 - Updated: 2026-07-13 16:05Vulnerability Details
CWE-79: Cross-site Scripting (XSS)
The AccountPending.svelte component renders the admin-configured "Pending User Overlay Content" using marked.parse() inside {@html} with an incorrect DOMPurify application order:
Vulnerable Code
src/lib/components/layout/Overlay/AccountPending.svelte (lines 43-48):
{@html marked.parse(
DOMPurify.sanitize(
($config?.ui?.pending_user_overlay_content ?? '').replace(/\n/g, '<br>')
)
)}
DOMPurify is applied to the raw Markdown input before marked.parse() processes it. This is the wrong order. DOMPurify sanitizes the Markdown text (which contains no HTML tags), then marked.parse() converts Markdown link syntax into HTML <a> tags with javascript: href, and the result is rendered with {@html} unsanitized.
The correct pattern (used elsewhere in the codebase, e.g., NotebookView.svelte:77) is:
DOMPurify.sanitize(marked.parse(src)) // sanitize AFTER markdown parsing
Steps to Reproduce
Prerequisites
- Open WebUI v0.8.10
- Admin account
- A second user account with "pending" role
Steps
-
Log in as admin and navigate to Admin Settings → Settings → General.
-
Set Default User Role to
pending. -
In the Pending User Overlay Content field, enter:
# Account Pending
Your account is under review.
[Contact Support](javascript:alert(document.domain))
-
Save the settings.
-
In a separate browser (or incognito window), create a new account or log in as a pending user.
-
The pending overlay is displayed. Click the "Contact Support" link.
-
A JavaScript alert dialog appears showing
localhost(the document domain), confirming XSS execution.
Verified Output
The alert(document.domain) executes successfully, displaying "localhost" in a JavaScript dialog box.
Impact
An admin can inject arbitrary JavaScript into the Pending User Overlay Content that executes in the browser context of any pending user who views the overlay page. This could be used to:
- Session hijacking: Steal pending users' JWT tokens from cookies/localStorage
- Credential theft: Replace the pending overlay with a fake login form
- Phishing: Redirect pending users to malicious sites
While this requires admin privileges to set the overlay content, it enables an admin to attack pending users (who have not yet been granted full access). In multi-admin deployments, a compromised admin account could use this to escalate attacks.
Proposed Fix
Apply DOMPurify after marked.parse(), not before:
<!-- Before (vulnerable): -->
{@html marked.parse(
DOMPurify.sanitize(
($config?.ui?.pending_user_overlay_content ?? '').replace(/\n/g, '<br>')
)
)}
<!-- After (fixed): -->
{@html DOMPurify.sanitize(
marked.parse(
($config?.ui?.pending_user_overlay_content ?? '').replace(/\n/g, '<br>'),
{ async: false }
)
)}
| Name | purl | open-webui | pkg:pypi/open-webui |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "open-webui",
"purl": "pkg:pypi/open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1.124",
"0.1.125",
"0.2.0",
"0.2.1",
"0.2.2",
"0.2.3",
"0.2.4",
"0.2.5",
"0.3.0",
"0.3.1",
"0.3.10",
"0.3.12",
"0.3.13",
"0.3.14",
"0.3.15",
"0.3.16",
"0.3.17",
"0.3.17.dev2",
"0.3.17.dev3",
"0.3.17.dev4",
"0.3.17.dev5",
"0.3.18",
"0.3.19",
"0.3.2",
"0.3.20",
"0.3.21",
"0.3.22",
"0.3.23",
"0.3.24",
"0.3.25",
"0.3.26",
"0.3.27",
"0.3.27.dev1",
"0.3.27.dev2",
"0.3.27.dev3",
"0.3.28",
"0.3.29",
"0.3.3",
"0.3.30",
"0.3.30.dev1",
"0.3.30.dev2",
"0.3.31",
"0.3.31.dev1",
"0.3.32",
"0.3.33",
"0.3.33.dev1",
"0.3.34",
"0.3.35",
"0.3.4",
"0.3.5",
"0.3.6",
"0.3.7",
"0.3.8",
"0.3.9",
"0.4.0",
"0.4.0.dev1",
"0.4.0.dev2",
"0.4.1",
"0.4.2",
"0.4.3",
"0.4.4",
"0.4.5",
"0.4.6",
"0.4.6.dev1",
"0.4.7",
"0.4.8",
"0.5.0",
"0.5.0.dev1",
"0.5.0.dev2",
"0.5.1",
"0.5.10",
"0.5.11",
"0.5.12",
"0.5.13",
"0.5.14",
"0.5.15",
"0.5.16",
"0.5.17",
"0.5.18",
"0.5.19",
"0.5.2",
"0.5.20",
"0.5.3",
"0.5.3.dev1",
"0.5.4",
"0.5.5",
"0.5.6",
"0.5.7",
"0.5.8",
"0.5.9",
"0.6.0",
"0.6.1",
"0.6.10",
"0.6.11",
"0.6.12",
"0.6.13",
"0.6.14",
"0.6.15",
"0.6.16",
"0.6.18",
"0.6.19",
"0.6.2",
"0.6.20",
"0.6.21",
"0.6.22",
"0.6.23",
"0.6.24",
"0.6.25",
"0.6.26",
"0.6.26.dev1",
"0.6.27",
"0.6.28",
"0.6.29",
"0.6.3",
"0.6.30",
"0.6.31",
"0.6.32",
"0.6.33",
"0.6.34",
"0.6.35",
"0.6.36",
"0.6.37",
"0.6.38",
"0.6.39",
"0.6.4",
"0.6.40",
"0.6.41",
"0.6.42",
"0.6.43",
"0.6.5",
"0.6.6",
"0.6.6.dev1",
"0.6.7",
"0.6.8",
"0.6.9",
"0.7.0",
"0.7.1",
"0.7.2",
"0.8.0",
"0.8.1",
"0.8.10",
"0.8.11",
"0.8.12",
"0.8.2",
"0.8.3",
"0.8.4",
"0.8.5",
"0.8.6",
"0.8.7",
"0.8.8",
"0.8.9"
]
}
],
"aliases": [
"CVE-2026-44568",
"GHSA-fq3v-xjjx-95rc"
],
"details": "## Vulnerability Details\n\n**CWE-79**: Cross-site Scripting (XSS)\n\nThe `AccountPending.svelte` component renders the admin-configured \"Pending User Overlay Content\" using `marked.parse()` inside `{@html}` with an incorrect DOMPurify application order:\n\n### Vulnerable Code\n\n**`src/lib/components/layout/Overlay/AccountPending.svelte` (lines 43-48)**:\n\n```svelte\n{@html marked.parse(\n DOMPurify.sanitize(\n ($config?.ui?.pending_user_overlay_content ?? \u0027\u0027).replace(/\\n/g, \u0027\u003cbr\u003e\u0027)\n )\n)}\n```\n\nDOMPurify is applied to the raw Markdown input **before** `marked.parse()` processes it. This is the wrong order. DOMPurify sanitizes the Markdown text (which contains no HTML tags), then `marked.parse()` converts Markdown link syntax into HTML `\u003ca\u003e` tags with `javascript:` href, and the result is rendered with `{@html}` unsanitized.\n\nThe correct pattern (used elsewhere in the codebase, e.g., `NotebookView.svelte:77`) is:\n```javascript\nDOMPurify.sanitize(marked.parse(src)) // sanitize AFTER markdown parsing\n```\n\n## Steps to Reproduce\n\n### Prerequisites\n- Open WebUI v0.8.10\n- Admin account\n- A second user account with \"pending\" role\n\n### Steps\n\n1. Log in as admin and navigate to **Admin Settings** \u2192 **Settings** \u2192 **General**.\n\n2. Set **Default User Role** to `pending`.\n\n3. In the **Pending User Overlay Content** field, enter:\n```\n# Account Pending\n\nYour account is under review.\n\n[Contact Support](javascript:alert(document.domain))\n```\n\n4. Save the settings.\n\n5. In a separate browser (or incognito window), create a new account or log in as a pending user.\n\n6. The pending overlay is displayed. Click the \"Contact Support\" link.\n\n7. A JavaScript alert dialog appears showing `localhost` (the document domain), confirming XSS execution.\n\n### Verified Output\n\nThe `alert(document.domain)` executes successfully, displaying \"localhost\" in a JavaScript dialog box.\n\n## Impact\n\nAn admin can inject arbitrary JavaScript into the Pending User Overlay Content that executes in the browser context of any pending user who views the overlay page. This could be used to:\n\n- **Session hijacking**: Steal pending users\u0027 JWT tokens from cookies/localStorage\n- **Credential theft**: Replace the pending overlay with a fake login form\n- **Phishing**: Redirect pending users to malicious sites\n\nWhile this requires admin privileges to set the overlay content, it enables an admin to attack pending users (who have not yet been granted full access). In multi-admin deployments, a compromised admin account could use this to escalate attacks.\n\n## Proposed Fix\n\nApply DOMPurify **after** `marked.parse()`, not before:\n\n```svelte\n\u003c!-- Before (vulnerable): --\u003e\n{@html marked.parse(\n DOMPurify.sanitize(\n ($config?.ui?.pending_user_overlay_content ?? \u0027\u0027).replace(/\\n/g, \u0027\u003cbr\u003e\u0027)\n )\n)}\n\n\u003c!-- After (fixed): --\u003e\n{@html DOMPurify.sanitize(\n marked.parse(\n ($config?.ui?.pending_user_overlay_content ?? \u0027\u0027).replace(/\\n/g, \u0027\u003cbr\u003e\u0027),\n { async: false }\n )\n)}\n```\n\u003cimg width=\"1510\" height=\"1093\" alt=\"2026-03-23_03-07\" src=\"https://github.com/user-attachments/assets/bcc94dd6-4f06-472b-9979-9759458c76b3\" /\u003e",
"id": "PYSEC-2026-2724",
"modified": "2026-07-13T16:05:12.459747Z",
"published": "2026-07-13T15:15:42.754381Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-fq3v-xjjx-95rc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44568"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/open-webui"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-fq3v-xjjx-95rc"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.