1.0.1
CVE-2026-4995 is a cross-site scripting (XSS) vulnerability identified in wandb OpenUI, specifically affecting version 1.0. This vulnerability resides within the frontend/public/annotator/index.html file, enabling remote attackers to inject malicious scripts. The vulnerability has been publicly disclosed, raising concerns about potential exploitation and data compromise. A fix is expected from the vendor.
Successful exploitation of CVE-2026-4995 allows an attacker to inject arbitrary JavaScript code into the wandb OpenUI interface. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the user interface. Attackers could potentially steal sensitive data displayed within the wandb OpenUI, or redirect users to phishing sites. The impact is amplified if the wandb OpenUI is integrated with other critical systems, as the attacker could leverage this vulnerability to gain broader access.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The lack of a response from the vendor raises concerns about the timeliness of a patch. While no active exploitation campaigns have been publicly reported, the availability of the vulnerability details makes it a potential target for opportunistic attackers. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the potential impact warrants attention.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4995 is to upgrade to a patched version of wandb OpenUI as soon as it becomes available. Until a patch is released, consider implementing input validation and output encoding on the frontend/public/annotator/index.html file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies and procedures to address XSS vulnerabilities.
Update the wandb library to a version later than 1.0. This will resolve the Cross-Site Scripting (XSS) vulnerability in the Window Message Event Handler component.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4995 is a cross-site scripting (XSS) vulnerability affecting wandb OpenUI version 1.0, allowing attackers to inject malicious scripts into the interface.
If you are using wandb OpenUI version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it's available.
The recommended fix is to upgrade to a patched version of wandb OpenUI. Until a patch is released, implement input validation and output encoding.
While no active exploitation campaigns have been publicly reported, the vulnerability has been disclosed, increasing the risk of exploitation.
Refer to the wandb security advisories page for updates and official announcements regarding CVE-2026-4995.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.