Open WebUI: Stored XSS in Mermaid Markdown Preview
Description
Summary
Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML.
Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload was validated through the Markdown preview path, resulting in JavaScript execution in the victim’s browser under the application origin.
This is a confirmed stored XSS vulnerability reachable through normal product functionality.
Affected
Version
main- Reproduced on
v0.8.12
Affected
Code
Mermaid is initialized in permissive mode:
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/utils/index.ts#L1698 The file preview path renders Mermaid output and injects the returned SVG into the DOM:
https://github.com/open-webui/open-webui/blob/9bd84258d09eefe7bf975878fb0e31a5dadfe0f8/src/lib/components/chat/FileNav/FilePreview.svelte#L133
Impact
A successful exploit allows JavaScript execution in the victim’s browser under the Open WebUI origin when a malicious Markdown file is opened in the preview panel.
PoC
A malicious .md file containing the follwowing contents can be used to trigger the bug: ``` ``mermaid
flowchart LR A[click me] click A href "javascript:alert(document.domain)" "x" `` ```
Steps to reproduce: 1- Create a new chat 2- Enable Code Interpreter and browse and upload the file with .md extension.
3- Clicking on the file, and clicking click me should pop an alert
Remediation
Since mermaid has DOMPurify as a built-in, it is recommended to use the strict mode instead of loose.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Mermaid is initialized with `securityLevel: 'loose'`, allowing `javascript:` URLs in `click` directives to execute when the generated SVG is injected into the DOM via `innerHTML`."
Attack vector
An attacker uploads a malicious `.md` file containing a Mermaid code block that uses the `click` directive with a `javascript:` URL. When a victim opens the file in the preview panel, Mermaid renders the diagram and the application inserts the resulting SVG into the DOM via `innerHTML`. Because Mermaid is configured with `securityLevel: 'loose'`, the `javascript:` URL is not blocked, leading to stored XSS under the Open WebUI origin [ref_id=1][ref_id=2].
Affected code
The vulnerability resides in two locations: `src/lib/utils/index.ts` line 1698, where Mermaid is initialized with `securityLevel: 'loose'`, and `src/lib/components/chat/FileNav/FilePreview.svelte` line 133, where the generated SVG is injected into the DOM via `innerHTML` without sanitization [ref_id=1][ref_id=2].
What the fix does
The advisory recommends switching Mermaid's `securityLevel` from `'loose'` to `'strict'`. Mermaid's built-in `strict` mode leverages DOMPurify to sanitize rendered output, which would strip `javascript:` URLs from `click` directives and prevent script execution. No code patch is included in the bundle, only the remediation guidance [ref_id=1][ref_id=2].
Preconditions
- inputAttacker must be able to upload a `.md` file containing a Mermaid code block
- inputVictim must open the malicious file in the file preview panel
- configCode Interpreter must be enabled in the chat (per PoC steps)
Reproduction
1. Create a new chat and enable Code Interpreter. 2. Upload a `.md` file containing: ```mermaid flowchart LR A[click me] click A href "javascript:alert(document.domain)" "x" ``` 3. Click on the uploaded file in the preview panel, then click the "click me" node to trigger the XSS [ref_id=1][ref_id=2].
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.