Vulnerability Description
Cross-site Scripting (XSS) stored vulnerability in Tawk Live Chat. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by uploading a malicious PDF with JavaScript payload through the chatbot. The PDF is stored by the application and subsequently displayed without proper sanitisation when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2025-8349?
CVE-2025-8349 is a documented vulnerability. Cross-site Scripting (XSS) stored vulnerability in Tawk Live Chat. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by uploading a malicious PDF with JavaScript...
How severe is CVE-2025-8349?
CVSS scoring is not yet available for CVE-2025-8349. Check NVD for updates.
Is there a patch for CVE-2025-8349?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.