CVE-2026-24399: ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malic
Summary
ChatterMate, a no-code AI chatbot framework (software that lets people build chatbots without writing code), has a security flaw in versions 1.0.8 and earlier where it accepts and runs malicious HTML/JavaScript code from user chat input. An attacker could send specially crafted code (like an iframe with a javascript: link) that executes in the user's browser and steals sensitive data such as localStorage tokens and cookies, which are used to keep users logged in.
Solution / Mitigation
Update to version 1.0.9, where this issue has been fixed. The patch is available at https://github.com/chattermate/chattermate.chat/releases/tag/v1.0.9.
Vulnerability Details
9.3(critical)
EPSS: 0.0%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-24399
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 92%