CVE-2025-59902
Description
HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session. The injected HTML is included in the body of the email sent by the system, which could enable phishing attacks, impersonation, or credential theft.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An HTML injection vulnerability in NICE Chat allows attackers to inject arbitrary HTML into email transcripts via the firstName and lastName parameters, enabling phishing or impersonation.
The NICE Chat system is vulnerable to HTML injection through the 'firstName' and 'lastName' parameters during a chat session. An attacker can modify these parameters to inject arbitrary HTML content, which is then included in the body of email transcripts sent by the system [1].
To exploit this vulnerability, an attacker needs only to craft malicious input for the name fields during a chat interaction. No authentication is required, and the attack can be launched remotely. The injected HTML renders in the email, allowing the attacker to embed phishing links or impersonation content [1].
Successful exploitation enables an attacker to conduct phishing attacks, impersonate legitimate entities, or steal credentials. The CVSS v4.0 base score is 7.1 (High), reflecting the potential for significant impact on confidentiality and integrity [1].
As of the publication date, no solution or patch is available. Users are advised to monitor updates from NICE and apply mitigations as soon as they are released [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.