HomeCVE Intelligence › CVE-2026-44549
CVSS 7.3 HIGH Vulnerability

CVE-2026-44549: Open WebUI has stored XSS in Excel file preview

Summary Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the [sheetjs](https://git.sheetjs.com/sheetjs/sheetjs) function [sheet_to_html](https://git.sheetjs.com/she…

7.3CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-44549
Vendorpip
Affected Productopen-webui
Vulnerability TypeVulnerability
CVSS Score7.3 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary

Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the [sheetjs](https://git.sheetjs.com/sheetjs/sheetjs) function [sheet_to_html](https://git.sheetjs.com/sheetjs/sheetjs/src/commit/66cf8d2117d271f89e4f47b5fed35a3e1ea93f67/bits/79_html.js#L127) to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via [@html](https://svelte.dev/docs/svelte/@html) causing the payload to trigger.

Details

The function used to convert XLSX documents to HTML for preview does not perform any input validation or sanitisation for the generated HTML https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L120-L133 XLSX attac

🎯 Known Indicators of Compromise

{"type":"sha1","value":"66cf8d2117d271f89e4f47b5fed35a3e1ea93f67","confidence_score":0.9,"first_seen":"2026-05-08","source_count":1} {"type":"sha1","value":"a7271532f8a38da46785afcaa7e65f9a45e7d753","confidence_score":0.9,"first_seen":"2026-05-08","source_count":1} {"type":"url","value":"https://git.sheetjs.com/sheetjs/sheetjs)","confidence_score":0.82,"first_seen":"2026-05-08","source_count":1} {"type":"url","value":"https://git.sheetjs.com/sheetjs/sheetjs/src/commit/66cf8d2117d271f89e4f47b5fed35a3e1ea93f67/bits/79_","confidence_score":0.82,"first_seen":"2026-05-08","source_count":1} {"type":"url","value":"https://svelte.dev/docs/svelte/@html)","confidence_score":0.82,"first_seen":"2026-05-08","source_count":1} {"type":"url","value":"https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/compo","confidence_score":0.82,"first_seen":"2026-05-08","source_count":1} {"type":"domain","value":"git.sheetjs.com","confidence_score":0.75,"first_seen":"2026-05-08","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-44549 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence