Is there a public PoC exploit available for CVE-2025-12246?

Yes, a public proof-of-concept exploit is available for CVE-2025-12246. Prioritise patching immediately. EPSS: 0.0%.

Chatwoot CVE-2025-12246

Q: What is the CVSS score of CVE-2025-12246?

CVE-2025-12246 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-10-27 cna@vuldb.com

XSS Chatwoot

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:30 vuln.today

DescriptionCVE.org

A security flaw has been discovered in chatwoot up to 4.7.0. This issue affects some unknown processing of the file app/javascript/shared/components/IframeLoader.vue of the component Admin Interface. The manipulation of the argument Link results in cross site scripting. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) in Chatwoot up to version 4.7.0 allows remote attackers to inject malicious scripts via the Link argument in the IframeLoader.vue Admin Interface component, requiring user interaction to trigger. The vulnerability has a low CVSS score (2.1) and EPSS percentile (10%) but publicly available exploit code exists, indicating the attack is straightforward to execute once a victim clicks a crafted link.

Technical ContextAI

The vulnerability resides in the IframeLoader.vue component within Chatwoot's Admin Interface, a Vue.js-based web application frontend. The flaw is a reflected or stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where user-supplied input in the Link parameter is not properly sanitized before being rendered in the DOM. This allows an attacker to inject arbitrary JavaScript code that executes in the context of an authenticated admin's browser session. The affected product is Chatwoot, a customer engagement and support platform, identified via CPE:2.3:a:chatwoot:chatwoot:*.*.*.*.*.*.*

RemediationAI

Upgrade Chatwoot to a version newer than 4.7.0 immediately. Verify the patched version on the official Chatwoot GitHub repository or release notes. If immediate upgrade is not feasible, implement network-level mitigations: restrict admin interface access to trusted IP ranges or use a Web Application Firewall (WAF) rule to block requests with encoded or suspicious characters in the Link parameter. Additionally, educate administrators to avoid clicking links from untrusted sources in Chatwoot contexts, and consider disabling or sandboxing the IframeLoader component if it is not essential for operations. Patch effectiveness and post-upgrade version confirmation should be validated against the official Chatwoot security advisory once the vendor responds.

CVE-2025-12246 vulnerability details – vuln.today

Back