CVE-2025-58115
Description
ChatLuck contains a cross-site scripting vulnerability in Guest User Sign-up. If exploited, an arbitrary script may be executed on the web browser of the user who is accessing the product.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-site scripting vulnerability in ChatLuck's Guest User Sign-up allows arbitrary script execution in the browser of an accessing user.
Vulnerability
CVE-2025-58115 is a cross-site scripting (XSS) vulnerability present in the Guest User Sign-up functionality of ChatLuck. The issue stems from insufficient sanitization of user input during the guest registration process, allowing an attacker to inject arbitrary scripts.
Exploitation
An unauthenticated attacker can exploit this flaw by crafting a malicious script and submitting it through the guest sign-up form. When a user (such as an administrator) views the list of registered guest users, the injected script executes in their browser. No prior authentication is required for the attacker, but the victim must be logged into ChatLuck and access the affected page.
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, defacement, or theft of sensitive information. The CVSS v3 base score is 6.1 (Medium) due to the need for user interaction and the limited scope of impact.
Mitigation
The vulnerability affects ChatLuck versions V3.6 R1.0 through V6.6 R1.0. The vendor has released ChatLuck V6.6 R2.0 which addresses this issue. Users are strongly advised to upgrade to the latest version [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.