Summary
Open WebUI: Stored XSS to Account Takeover via Model Profile Images
References
Related vulnerabilities
All Supply chain →- MEDIUMGHSA-W22M-HVVM-XMWX
Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization
- MEDIUMGHSA-6JQ6-X4CX-QVCM
Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig)
- HIGHGHSA-M9CV-24RX-8MV7
Filament: Disabled RichEditor field state can be used for XSS
- HIGHGHSA-9CPJ-QC93-VW8V
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer
- HIGHGHSA-V8QJ-HXV7-MGVV
Open WebUI: Stored XSS in Mermaid Markdown Preview
- MEDIUMGHSA-6MHR-74X2-98V9
NocoDB: Stored Cross-Site Scripting via Secure Attachment