CVE-2026-4995

LOW

wandb OpenUI Window Message Event index.html cross site scripting

Title source: cna

Description

A vulnerability was determined in wandb OpenUI up to 1.0. Affected by this vulnerability is an unknown functionality of the file frontend/public/annotator/index.html of the component Window Message Event Handler. This manipulation causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry vdb-entry

VDB-353882 | wandb OpenUI Window Message Event index.html cross site scripting

https://vuldb.com/?id.353882

Signature, Permissions Required signature permissions-required

VDB-353882 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.353882

Third Party Advisory third-party-advisory

Submit #778267 | Weights and Biases OpenUI <= 1.0 (commit f9d8f0e) Cross-Site Scripting (CWE-79)

https://vuldb.com/?submit.778267

Exploit exploit

https://gist.github.com/YLChen-007/899f210b2d78e163d13561bb7f49b4da

Scores

CVSS v3 3.5

EPSS 0.0019

EPSS Percentile 8.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (1)

wandb/OpenUI 1.0

Published Mar 28, 2026

Tracked Since Mar 29, 2026