VYPR
Unrated severityOSV Advisory· Published Jan 24, 2026· Updated Jan 26, 2026

ChatterMate has Stored Cross-Site Scripting (XSS) via Chatbot Input Execution

CVE-2026-24399

Description

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allows access to sensitive client-side data such as localStorage tokens and cookies, resulting in client-side injection. This issue has been fixed in version 1.0.9.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • v1.0.0, v1.0.1, v1.0.2, …+ 1 more
    • (no CPE)range: v1.0.0, v1.0.1, v1.0.2, …
    • (no CPE)range: <=1.0.8

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.