VYPR
Vendor· Open source

Chatwoot

Products
1
CVEs
19
Across products
19
Status
Open source

Products

1

Recent CVEs

19
  • CVE-2026-44706HigMay 26, 2026
    risk 0.48cvss 8.5epss 0.00

    Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators, user-supplied…

  • CVE-2026-44707MedMay 26, 2026
    risk 0.37cvss 6.8epss 0.00

    Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email…

  • CVE-2025-12246MedOct 27, 2025
    risk 0.28cvss 4.3epss 0.00

    A security flaw has been discovered in chatwoot up to 4.7.0. This issue affects some unknown processing of the file app/javascript/shared/components/IframeLoader.vue of the component Admin Interface. The manipulation of the argument Link results in cross site scripting. The…

  • CVE-2025-12245Oct 27, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelper.js of the component Widget. The manipulation of the argument baseUrl leads to origin validation error. Remote…

  • CVE-2024-0640Mar 20, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access…

  • CVE-2025-21628Jan 9, 2025
    risk 0.00cvss epss 0.01

    Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the…

  • CVE-2021-3740Nov 15, 2024
    risk 0.00cvss epss 0.00

    A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker…

  • CVE-2021-3742Nov 15, 2024
    risk 0.00cvss epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.5.0. The vulnerability allows an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an avatar and opened in a…

  • CVE-2021-3741Nov 15, 2024
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new…

  • CVE-2023-2109Apr 17, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.14.0.

  • CVE-2022-3741Oct 28, 2022
    risk 0.00cvss epss 0.01

    Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to…

  • CVE-2022-2901Sep 6, 2022
    risk 0.00cvss epss 0.00

    Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8.

  • CVE-2022-0542Aug 19, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.7.0.

  • CVE-2022-1021Aug 19, 2022
    risk 0.00cvss epss 0.01

    Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0.

  • CVE-2022-1022Apr 21, 2022
    risk 0.00cvss epss 0.05

    Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0.

  • CVE-2021-3813Feb 9, 2022
    risk 0.00cvss epss 0.01

    Improper Privilege Management in GitHub repository chatwoot/chatwoot prior to v2.2.

  • CVE-2022-0527Feb 9, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0.

  • CVE-2022-0526Feb 9, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0.

  • CVE-2021-3649Jul 16, 2021
    risk 0.00cvss epss 0.01

    chatwoot is vulnerable to Inefficient Regular Expression Complexity