CVE-2026-4995
Remote XSS in wandb OpenUI Window Message Handler
Publication date: 2026-03-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wandb | openui | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4995 is a critical stored Cross-Site Scripting (XSS) and arbitrary code execution vulnerability in the OpenUI project (wandb/openui). It occurs because the frontend annotator iframe (frontend/public/annotator/index.html) renders Large Language Model (LLM) generated HTML and JavaScript responses without any sanitization.
Specifically, the iframe directly sets its innerHTML from untrusted LLM data and dynamically injects script elements from this data, allowing arbitrary JavaScript execution. Additionally, the iframe's sandbox configuration and lack of origin validation in the message event listener enable scripts inside the iframe to access the parent frameβs DOM, cookies, and session storage.
This means an attacker controlling or compromising the LLM backend can inject malicious scripts that execute in the victimβs browser with full access to sensitive data and session information.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Session Hijacking: Attackers can steal session cookies and hijack user accounts.
- Data Exfiltration: Full access to parent frame's localStorage and sessionStorage exposes sensitive data such as API keys and conversation history.
- Phishing: Malicious scripts can replace iframe content with fake login forms to harvest user credentials.
- Persistent Compromise: Malicious scripts are stored in generated UIs and re-executed on subsequent visits, maintaining long-term access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unsanitized injection of HTML and JavaScript into a sandboxed iframe via postMessage without origin validation, leading to cross-site scripting and arbitrary code execution.
To detect exploitation attempts or presence of this vulnerability on your system or network, you can monitor for suspicious postMessage events or injected scripts targeting the frontend annotator iframe (frontend/public/annotator/index.html).
Suggested commands include inspecting network traffic for unusual SSE (Server-Sent Events) responses containing unexpected HTML or JavaScript payloads, and checking browser console logs for script injection or errors related to the annotator iframe.
- Use browser developer tools to monitor postMessage events and inspect iframe content for injected scripts.
- Capture network traffic with tools like tcpdump or Wireshark filtering for SSE streams or suspicious HTTP responses from the LLM backend.
- Run commands such as: 1) curl or wget to fetch LLM responses and grep for suspicious <script> tags or HTML injection patterns; 2) grep source code for usage of 'wrapper.innerHTML' or dynamic script creation without sanitization.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing unsanitized HTML and script injection into the annotator iframe and restricting message event origins.
- Implement strict origin validation in the message event listener to accept messages only from trusted origins.
- Sanitize all HTML content before injecting it into the DOM, for example by using libraries like DOMPurify or applying allowlist filtering.
- Avoid dynamically creating and appending script elements from untrusted sources.
- Reconfigure the iframe sandbox attributes to remove 'allow-same-origin' if possible, to limit script access to the parent frame.
- If feasible, update or patch the OpenUI component to a version that addresses this vulnerability once available.
Until a patch is available, consider disabling or restricting usage of the vulnerable annotator iframe functionality to reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability enables attackers to execute arbitrary JavaScript in the victim's browser, leading to session hijacking, data exfiltration including access to localStorage and sessionStorage, and potential credential theft through phishing. Such unauthorized access and data compromise can result in violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.
Specifically, the exposure of sensitive user data and session information due to cross-site scripting can lead to non-compliance with requirements for data confidentiality, integrity, and user consent under these standards.