Cyber Posture

CVE-2026-24399

CriticalPublic PoC

Published: 24 January 2026

Published
24 January 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0001 2.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24399 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Chattermate Chattermate. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Machine Learning Libraries.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Enforces validation of untrusted chat inputs to reject or sanitize malicious HTML/JavaScript payloads such as <iframe> with javascript: URIs before browser processing.

SI-15 Information Output Filtering good match
prevent

Filters chatbot outputs or reflected inputs to prevent execution of injected scripts in the victim browser context, blocking client-side data theft.

SI-2 Flaw Remediation good match
preventrecover

Identifies and remediates the specific XSS flaw by applying patches like ChatterMate v1.0.9, restoring secure input handling.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
attack.mitre.org →
Why these techniques?

XSS directly enables browser session hijacking and theft of web session cookies/application access tokens via client-side JS execution on chat input.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an <iframe> payload containing a javascript: URI can be processed and executed in…

more

the browser context. This allows access to sensitive client-side data such as localStorage tokens and cookies, resulting in client-side injection. This issue has been fixed in version 1.0.9.

Deeper analysisAI

CVE-2026-24399 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting ChatterMate, a no-code AI chatbot agent framework in versions 1.0.8 and below. The flaw occurs when the chatbot processes chat input containing malicious HTML/JavaScript payloads, such as an <iframe> element with a javascript: URI, which is then executed directly in the victim's browser context. This client-side injection enables unauthorized access to sensitive data stored client-side, including localStorage tokens and cookies. The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low complexity, and high impact on confidentiality and integrity with changed scope.

Attackers can exploit this vulnerability remotely without privileges by tricking users into submitting crafted chat inputs to a ChatterMate instance, requiring only user interaction such as pasting or entering the payload. No authentication is needed, making it accessible to any adversary. Successful exploitation grants the attacker the ability to steal sensitive client-side data like authentication tokens and cookies in the browser's context, potentially leading to session hijacking, account takeover, or further phishing attacks leveraging the stolen credentials.

Mitigation is available through upgrading to ChatterMate version 1.0.9, where the issue has been addressed. Official advisories and patches are detailed in the GitHub security advisory (GHSA-72p3-w95w-q3j4), the release notes for v1.0.9, and the fixing commit (ff3398031abb97ae28546eaf993fed3619eaffdd), recommending immediate updates for all affected deployments.

As a framework for no-code AI chatbot agents, this vulnerability highlights risks in client-side processing of user inputs in AI-driven web applications, though no public evidence of real-world exploitation has been reported as of the CVE publication on 2026-01-24.

Details

CWE(s)
CWE-79

Affected Products

chattermate
chattermate
≤ 1.0.9

AI Security AnalysisAI

AI Category
Machine Learning Libraries
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

CVEs Like This One

CVE-2026-26192Shared CWE-79
CVE-2025-67849Shared CWE-79
CVE-2026-27070Shared CWE-79
CVE-2026-4108Shared CWE-79
CVE-2025-23429Shared CWE-79
CVE-2025-26585Shared CWE-79
CVE-2026-32277Shared CWE-79
CVE-2026-34560Shared CWE-79
CVE-2026-30919Shared CWE-79
CVE-2025-0475Shared CWE-79

References