Platform
javascript
Component
chattermate.chat
Fixed in
1.0.10
CVE-2026-24399 describes a critical Cross-Site Scripting (XSS) vulnerability affecting ChatterMate, a no-code AI chatbot agent framework. This vulnerability allows attackers to inject and execute malicious HTML/JavaScript payloads within the chatbot's interface, potentially leading to client-side data theft. Versions 1.0.8 and earlier are affected, and a fix is available in version 1.0.9.
The primary impact of this XSS vulnerability lies in the potential for client-side data theft. An attacker can craft a malicious <iframe> payload containing a javascript: URI and inject it into the chatbot's input field. When processed, this payload executes within the user's browser context, granting the attacker access to sensitive information stored in the browser's local storage, including authentication tokens and cookies. This could allow an attacker to impersonate the user, access their data, or perform actions on their behalf. The ease of injection, combined with the potential for significant data compromise, makes this a high-impact vulnerability.
This vulnerability was publicly disclosed on 2026-01-24. No public proof-of-concept (PoC) code has been released at the time of writing, but the simplicity of the attack vector suggests that a PoC is likely to emerge. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation if left unpatched. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24399 is to immediately upgrade ChatterMate to version 1.0.9 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the chatbot's input fields to prevent the injection of malicious HTML/JavaScript. While not a complete solution, a Web Application Firewall (WAF) configured to block suspicious javascript: URIs can provide an additional layer of defense. Regularly review chatbot input logs for unusual patterns or attempts at code injection.
Update ChatterMate to version 1.0.9 or higher. This version fixes the stored XSS vulnerability that allows malicious code execution in the user's browser context. The update will prevent unauthorized access to sensitive data such as tokens and cookies.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24399 is a critical Cross-Site Scripting (XSS) vulnerability in ChatterMate versions 1.0.8 and below, allowing attackers to inject malicious code via chat input.
Yes, if you are using ChatterMate version 1.0.8 or earlier, you are affected by this vulnerability.
Upgrade ChatterMate to version 1.0.9 or later to resolve this vulnerability. Consider input validation as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the ChatterMate official website or security advisory channels for the latest information and updates regarding CVE-2026-24399.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.