Cyber Resilience

CVE-2026-24399

CriticalPublic PoC

Published: 24 January 2026

Published
24 January 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0030 21.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24399 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Chattermate Chattermate. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-24399 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting ChatterMate, a no-code AI chatbot agent framework in versions 1.0.8 and below. The flaw occurs when the chatbot processes chat input containing malicious HTML/JavaScript payloads, such as an <iframe> element with a javascript: URI, which is then executed directly in the victim's browser context. This client-side injection enables unauthorized access to sensitive data stored client-side, including localStorage tokens and cookies. The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low complexity, and high impact on confidentiality and integrity with changed scope.

Attackers can exploit this vulnerability remotely without privileges by tricking users into submitting crafted chat inputs to a ChatterMate instance, requiring only user interaction such as pasting or entering the payload. No authentication is needed, making it accessible to any adversary. Successful exploitation grants the attacker the ability to steal sensitive client-side data like authentication tokens and cookies in the browser's context, potentially leading to session hijacking, account takeover, or further phishing attacks leveraging the stolen credentials.

Mitigation is available through upgrading to ChatterMate version 1.0.9, where the issue has been addressed. Official advisories and patches are detailed in the GitHub security advisory (GHSA-72p3-w95w-q3j4), the release notes for v1.0.9, and the fixing commit (ff3398031abb97ae28546eaf993fed3619eaffdd), recommending immediate updates for all affected deployments.

As a framework for no-code AI chatbot agents, this vulnerability highlights risks in client-side processing of user inputs in AI-driven web applications, though no public evidence of real-world exploitation has been reported as of the CVE publication on 2026-01-24.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an <iframe> payload containing a javascript: URI can be processed and executed in…

more

the browser context. This allows access to sensitive client-side data such as localStorage tokens and cookies, resulting in client-side injection. This issue has been fixed in version 1.0.9.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

XSS directly enables browser session hijacking and theft of web session cookies/application access tokens via client-side JS execution on chat input.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26193Shared CWE-79
CVE-2026-45303Shared CWE-79
CVE-2026-26192Shared CWE-79
CVE-2025-5352Shared CWE-79
CVE-2026-45665Shared CWE-79
CVE-2026-44721Shared CWE-79
CVE-2025-15266Shared CWE-79
CVE-2025-50538Shared CWE-79
CVE-2025-23668Shared CWE-79
CVE-2026-34561Shared CWE-79

Affected Assets

chattermate
chattermate
≤ 1.0.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of untrusted chat inputs to reject or sanitize malicious HTML/JavaScript payloads such as <iframe> with javascript: URIs before browser processing.

prevent

Filters chatbot outputs or reflected inputs to prevent execution of injected scripts in the victim browser context, blocking client-side data theft.

preventrecover

Identifies and remediates the specific XSS flaw by applying patches like ChatterMate v1.0.9, restoring secure input handling.

References