CVE-2026-26192 is a stored cross-site scripting vulnerability in Open WebUI affecting versions prior to 0.7.0. By manually modifying chat history, an attacker can set the html property in document metadata so the frontend follows a code path in src/lib/components/chat/Messages/Citations/CitationModal.svelte that treats document content as HTML and renders it in an iframe via srcdoc when a citation is previewed. In vulnerable implementations, the iframe sandbox included allow-scripts allow-forms allow-same-origin, allowing attacker-supplied JavaScript to execute in a same-origin context. Because Open WebUI stores JWT session tokens in browser localStorage, the injected script can access window.parent.localStorage and steal authentication material. The payload is stored in chat content and can also execute when the citation is viewed from a shared chat.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
html: true, and reduce opportunities for attackers to inject or tamper with chat payloads.Patch, then assume compromise.
allow-scripts allow-forms allow-same-origin to allow-scripts allow-forms, and making allow-same-origin conditional via the iframeSandboxAllowSameOrigin setting.No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A same-origin iframe sandbox misconfiguration in Open WebUI that allows attacker-controlled HTML/JavaScript rendered via srcdoc to access parent-origin localStorage, steal JWT authentication tokens, and compromise user accounts, including administrative access.
A stored cross-site scripting vulnerability in Open WebUI prior to 0.7.0 mentioned only in related content.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.