CVE-2024-43396: Khoj is an application that creates personal AI agents. The Automation feature allows a user to insert arbitrary HTML in
mediumvulnerability
security
Summary
Khoj, an application that creates personal AI agents, has a vulnerability in its Automation feature where users can insert arbitrary HTML and JavaScript code through the q parameter of the /api/automation endpoint due to improper input sanitization (a security flaw called stored XSS, where malicious code gets saved and runs when the page loads). This allows attackers to inject harmful code that affects other users viewing the page.
Solution / Mitigation
This vulnerability is fixed in version 1.15.0.
Vulnerability Details
CVSS Score
5.4(medium)
EPSS (30-day exploit probability)
EPSS: 0.9%
Classification
Attack Type
RAG Poisoning
Attack SophisticationTrivial
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-43396
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 85%