Low severity3.5NVD Advisory· Published Mar 28, 2026· Updated Apr 29, 2026

CVE-2026-4995

Description

A vulnerability was determined in wandb OpenUI up to 1.0. Affected by this vulnerability is an unknown functionality of the file frontend/public/annotator/index.html of the component Window Message Event Handler. This manipulation causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenUI's annotator iframe lacks sanitization of LLM responses, enabling stored XSS and arbitrary code execution via innerHTML and dynamic script injection.

The vulnerability resides in the annotator iframe of OpenUI (version 1.0 and earlier). The iframe receives LLM-generated HTML and JavaScript via postMessage from the parent frame, then directly sets wrapper.innerHTML (line 566) and creates ` elements with arbitrary code (lines 591–598) without any sanitization [1]. Additionally, the iframe's sandbox attribute includes both allow-same-origin and allow-scripts`, which is a known anti-pattern that allows scripts inside the iframe to fully access the parent frame's DOM, cookies, and session storage [1].

To exploit the vulnerability, an attacker must control the LLM response—either by compromising the LLM provider, performing a man-in-the-middle attack, or crafting a malicious input that the LLM reflects unsanitized. When a user triggers a UI component generation, the malicious HTML and JavaScript are delivered to the annotator iframe and executed in the user's browser [1]. The attack is fully remote and requires no special user privileges beyond using OpenUI.

Successful exploitation enables arbitrary client-side code execution within the security context of the OpenUI application. This can lead to session hijacking, theft of authentication tokens, and full account takeover [1].

The vendor was contacted but did not respond, and no official patch is available as of the publication date. Users are advised to restrict iframe sandbox permissions (remove allow-same-origin) or implement input sanitization (e.g., DOMPurify) on LLM responses as a temporary workaround [1].

References

Stored XSS and Arbitrary Code Execution via Unsanitized LLM Response Rendering in Annotator Iframe

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Wandb/Openuillm-fuzzy
Range: <=1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.5/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.23low

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-4995

Credits

E(
Eric-b (VulDB User)
reporter
V
VulDB
coordinator