{"data":{"id":"a865a925-f122-4fd8-830e-63a525a5b16d","title":"CVE-2026-24399: ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malic","summary":"ChatterMate, a no-code AI chatbot framework (software that lets people build chatbots without writing code), has a security flaw in versions 1.0.8 and earlier where it accepts and runs malicious HTML/JavaScript code from user chat input. An attacker could send specially crafted code (like an iframe with a javascript: link) that executes in the user's browser and steals sensitive data such as localStorage tokens and cookies, which are used to keep users logged in.","solution":"Update to version 1.0.9, where this issue has been fixed. The patch is available at https://github.com/chattermate/chattermate.chat/releases/tag/v1.0.9.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-24399","publishedAt":"2026-01-24T01:15:50.393Z","cveId":"CVE-2026-24399","cweIds":["CWE-79"],"cvssScore":"9.3","cvssSeverity":"critical","severity":"critical","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["ChatterMate"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00012,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-198","CAPEC-86"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}