Vulnerability Description
ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an <iframe> payload containing a javascript: URI can be processed and executed in the browser context. This allows access to sensitive client-side data such as localStorage tokens and cookies, resulting in client-side injection. This issue has been fixed in version 1.0.9.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Chattermate | Chattermate | < 1.0.9 |
Related Weaknesses (CWE)
References
- https://github.com/chattermate/chattermate.chat/commit/ff3398031abb97ae28546eaf9Patch
- https://github.com/chattermate/chattermate.chat/releases/tag/v1.0.9ProductRelease Notes
- https://github.com/chattermate/chattermate.chat/security/advisories/GHSA-72p3-w9ExploitVendor Advisory
FAQ
What is CVE-2026-24399?
CVE-2026-24399 is a vulnerability with a CVSS score of 9.3 (CRITICAL). ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an <ifr...
How severe is CVE-2026-24399?
CVE-2026-24399 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-24399?
Check the references section above for vendor advisories and patch information. Affected products include: Chattermate Chattermate.