Chatwoot
Products
1- 19 CVEs
Recent CVEs
19| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44706 | Hig | 0.48 | 8.5 | 0.00 | May 26, 2026 | Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators, user-supplied… | ||
| CVE-2026-44707 | Med | 0.37 | 6.8 | 0.00 | May 26, 2026 | Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email… | ||
| CVE-2025-12246 | Med | 0.28 | 4.3 | 0.00 | Oct 27, 2025 | A security flaw has been discovered in chatwoot up to 4.7.0. This issue affects some unknown processing of the file app/javascript/shared/components/IframeLoader.vue of the component Admin Interface. The manipulation of the argument Link results in cross site scripting. The… | ||
| CVE-2025-12245 | 0.00 | — | 0.00 | Oct 27, 2025 | A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelper.js of the component Widget. The manipulation of the argument baseUrl leads to origin validation error. Remote… | |||
| CVE-2024-0640 | 0.00 | — | 0.00 | Mar 20, 2025 | A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access… | |||
| CVE-2025-21628 | 0.00 | — | 0.01 | Jan 9, 2025 | Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the… | |||
| CVE-2021-3740 | 0.00 | — | 0.00 | Nov 15, 2024 | A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker… | |||
| CVE-2021-3742 | 0.00 | — | 0.00 | Nov 15, 2024 | A Server-Side Request Forgery (SSRF) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.5.0. The vulnerability allows an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an avatar and opened in a… | |||
| CVE-2021-3741 | 0.00 | — | 0.00 | Nov 15, 2024 | A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new… | |||
| CVE-2023-2109 | 0.00 | — | 0.00 | Apr 17, 2023 | Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.14.0. | |||
| CVE-2022-3741 | 0.00 | — | 0.01 | Oct 28, 2022 | Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to… | |||
| CVE-2022-2901 | 0.00 | — | 0.00 | Sep 6, 2022 | Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8. | |||
| CVE-2022-0542 | 0.00 | — | 0.01 | Aug 19, 2022 | Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.7.0. | |||
| CVE-2022-1021 | 0.00 | — | 0.01 | Aug 19, 2022 | Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0. | |||
| CVE-2022-1022 | 0.00 | — | 0.05 | Apr 21, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0. | |||
| CVE-2021-3813 | 0.00 | — | 0.01 | Feb 9, 2022 | Improper Privilege Management in GitHub repository chatwoot/chatwoot prior to v2.2. | |||
| CVE-2022-0527 | 0.00 | — | 0.01 | Feb 9, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0. | |||
| CVE-2022-0526 | 0.00 | — | 0.01 | Feb 9, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0. | |||
| CVE-2021-3649 | 0.00 | — | 0.01 | Jul 16, 2021 | chatwoot is vulnerable to Inefficient Regular Expression Complexity |
- risk 0.48cvss 8.5epss 0.00
Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators, user-supplied…
- risk 0.37cvss 6.8epss 0.00
Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email…
- risk 0.28cvss 4.3epss 0.00
A security flaw has been discovered in chatwoot up to 4.7.0. This issue affects some unknown processing of the file app/javascript/shared/components/IframeLoader.vue of the component Admin Interface. The manipulation of the argument Link results in cross site scripting. The…
- CVE-2025-12245Oct 27, 2025risk 0.00cvss —epss 0.00
A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelper.js of the component Widget. The manipulation of the argument baseUrl leads to origin validation error. Remote…
- CVE-2024-0640Mar 20, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access…
- CVE-2025-21628Jan 9, 2025risk 0.00cvss —epss 0.01
Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the…
- CVE-2021-3740Nov 15, 2024risk 0.00cvss —epss 0.00
A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker…
- CVE-2021-3742Nov 15, 2024risk 0.00cvss —epss 0.00
A Server-Side Request Forgery (SSRF) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.5.0. The vulnerability allows an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an avatar and opened in a…
- CVE-2021-3741Nov 15, 2024risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. The vulnerability occurs when a user uploads an SVG file containing a malicious XSS payload in the profile settings. When the avatar is opened in a new…
- CVE-2023-2109Apr 17, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.14.0.
- CVE-2022-3741Oct 28, 2022risk 0.00cvss —epss 0.01
Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to…
- CVE-2022-2901Sep 6, 2022risk 0.00cvss —epss 0.00
Improper Authorization in GitHub repository chatwoot/chatwoot prior to 2.8.
- CVE-2022-0542Aug 19, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.7.0.
- CVE-2022-1021Aug 19, 2022risk 0.00cvss —epss 0.01
Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0.
- CVE-2022-1022Apr 21, 2022risk 0.00cvss —epss 0.05
Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0.
- CVE-2021-3813Feb 9, 2022risk 0.00cvss —epss 0.01
Improper Privilege Management in GitHub repository chatwoot/chatwoot prior to v2.2.
- CVE-2022-0527Feb 9, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0.
- CVE-2022-0526Feb 9, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.2.0.
- CVE-2021-3649Jul 16, 2021risk 0.00cvss —epss 0.01
chatwoot is vulnerable to Inefficient Regular Expression Complexity