Login Sign Up

CVE-2026-24399

9.3 CRITICAL
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to inject malicious HTML/JavaScript payloads into ChatterMate chatbot inputs, which are then executed in users' browsers. This enables theft of sensitive client-side data like localStorage tokens and cookies. Users of ChatterMate versions 1.0.8 and below are affected.

💻 Affected Systems

Products:
  • ChatterMate
Versions: 1.0.8 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using vulnerable versions are affected regardless of configuration.

📦 What is this software?

Chattermate by Chattermate

View all CVEs affecting Chattermate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of user sessions, theft of authentication tokens and sensitive data stored in browser storage, potential account takeover, and lateral movement within the application.

🟠

Likely Case

Session hijacking, theft of user-specific data from localStorage and cookies, potential credential theft if sensitive information is stored client-side.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though some client-side data exposure may still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The advisory includes specific payload examples (<iframe> with javascript: URI), making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.9

Vendor Advisory: https://github.com/chattermate/chattermate.chat/security/advisories/GHSA-72p3-w95w-q3j4

Restart Required: Yes

Instructions:

1. Download version 1.0.9 from the official repository. 2. Replace existing ChatterMate installation with the patched version. 3. Restart the ChatterMate service. 4. Verify the fix by testing with known malicious payloads.

🔧 Temporary Workarounds

Input Sanitization

all

Implement server-side input validation to strip or escape HTML/JavaScript content from chat inputs.

Content Security Policy

all

Implement strict CSP headers to prevent execution of inline scripts and restrict iframe sources.

🧯 If You Can't Patch

  • Implement WAF rules to block requests containing malicious HTML/JavaScript patterns in chat inputs.
  • Disable or restrict chatbot functionality until patching is possible.

🔍 How to Verify

Check if Vulnerable:

Test by submitting an <iframe> payload with javascript: URI as chat input and checking if it executes in the browser.

Check Version:

Check package.json or application metadata for version number, or run: npm list chattermate (if installed via npm)

Verify Fix Applied:

After patching, test with the same malicious payload to confirm it's properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual chat input patterns containing HTML tags, iframe elements, or javascript: URIs
  • Increased error logs from input validation failures

Network Indicators:

  • HTTP requests with chat payloads containing suspicious HTML/JavaScript content

SIEM Query:

source="chat_logs" AND (message="*<iframe*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2026-24399
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79
EPSS Score: 0.01% exploit probability (1.2th percentile)
Published: January 24, 2026
Last Updated: February 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24399, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)