VYPR

Chatwoot

by Chatwoot

Source repositories

CVEs (19)

  • CVE-2026-44706HigMay 26, 2026
    risk 0.48cvss 8.5epss 0.00

    Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators, user-supplied…

  • CVE-2026-44707MedMay 26, 2026
    risk 0.37cvss 6.8epss 0.00

    Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email…

  • CVE-2025-12246MedOct 27, 2025
    risk 0.28cvss 4.3epss 0.00

    A security flaw has been discovered in chatwoot up to 4.7.0. This issue affects some unknown processing of the file app/javascript/shared/components/IframeLoader.vue of the component Admin Interface. The manipulation of the argument Link results in cross site scripting. The…

  • CVE-2025-12245Oct 27, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelper.js of the component Widget. The manipulation of the argument baseUrl leads to origin validation error. Remote…

  • CVE-2024-0640MedMar 20, 2025
    risk 0.00cvss 4.8epss 0.00

    A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access…

  • CVE-2025-21628CriJan 9, 2025
    risk 0.00cvss 9.1epss 0.01

    Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the…

  • CVE-2021-3742HigNov 15, 2024
    risk 0.00cvss 8.8epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.5.0. The vulnerability allows an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an avatar and opened in a…

  • CVE-2021-3741MedNov 15, 2024
    risk 0.00cvss 5.4epss 0.00

    A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new…

  • CVE-2021-3740MedNov 15, 2024
    risk 0.00cvss 6.8epss 0.00

    A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker…

  • CVE-2023-2109MedApr 17, 2023
    risk 0.00cvss 6.1epss 0.00

    Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.14.0.

  • CVE-2022-3741CriOct 28, 2022
    risk 0.00cvss 9.8epss 0.01

    Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to…

  • CVE-2022-2901HigSep 6, 2022
    risk 0.00cvss 7.1epss 0.00

    Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8.

  • CVE-2022-0542MedAug 19, 2022
    risk 0.00cvss 6.1epss 0.01

    Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.7.0.

  • CVE-2022-1021MedAug 19, 2022
    risk 0.00cvss 5.4epss 0.01

    Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0.

  • CVE-2022-1022MedApr 21, 2022
    risk 0.00cvss 5.4epss 0.05

    Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0.

  • CVE-2021-3813MedFeb 9, 2022
    risk 0.00cvss 6.5epss 0.01

    Improper Privilege Management in GitHub repository chatwoot/chatwoot prior to v2.2.

  • CVE-2022-0527MedFeb 9, 2022
    risk 0.00cvss 6.1epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0.

  • CVE-2022-0526MedFeb 9, 2022
    risk 0.00cvss 6.1epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0.

  • CVE-2021-3649HigJul 16, 2021
    risk 0.00cvss 7.5epss 0.01

    chatwoot is vulnerable to Inefficient Regular Expression Complexity