Skip to main content

EUVDEUVD-2026-12866

| CVE-2026-30048 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-18 mitre GHSA-w3vx-52j6-9fjp
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
CVSS changed
Apr 27, 2026 - 19:22 NVD
5.4 (MEDIUM)
EUVD ID Assigned
Mar 18, 2026 - 17:30 euvd
EUVD-2026-12866
Analysis Generated
Mar 18, 2026 - 17:30 vuln.today
CVE Published
Mar 18, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat conversation history. This allows an attacker to inject arbitrary JavaScript code which is executed when the chat history is reloaded. The issue is reproducible across multiple independent implementations of the widget, indicating that the vulnerability resides in the product itself rather than in a specific website configuration.

AnalysisAI

A stored cross-site scripting (XSS) vulnerability exists in NotChatbot WebChat widget versions through 1.4.4, where user-supplied input in chat messages is not properly sanitized before being stored and rendered in the chat history. This allows attackers to inject arbitrary JavaScript code that executes whenever the chat history is reloaded, affecting all independent implementations of the widget. A proof-of-concept has been publicly disclosed on GitHub (https://github.com/0xN4no/CVE-2026-30048) and a detailed technical writeup is available via Gist (https://gist.github.com/0xN4no/0601f398942a29259d217ea650f694fe), indicating active demonstration of exploitability.

Technical ContextAI

The NotChatbot WebChat widget is a JavaScript-based chat interface distributed via npm (@developer.notchatbot/webchat) and CDN (unpkg.com). The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting). The root cause is insufficient input validation and output encoding when processing user messages in the chat conversation history. Since the widget is embedded across multiple independent websites, the vulnerability affects not just the library itself but any application consuming the affected versions (up to 1.4.4) from npm or unpkg CDN. The stored nature of this XSS means malicious payloads persist in chat history data structures and execute client-side during page reloads, making it particularly dangerous for multi-user chat scenarios where one user's malicious input compromises all subsequent viewers of that conversation.

RemediationAI

Immediately upgrade NotChatbot WebChat to a patched version beyond 1.4.4 if available from the vendor. Check https://www.npmjs.com/package/@developer.notchatbot/webchat for the latest stable release and deploy via npm or CDN. If a patched version is not yet released, implement immediate mitigation by enforcing Content Security Policy (CSP) headers with script-src 'self' to restrict arbitrary JavaScript execution, implementing HTML entity encoding on all chat message display, and validating input on the client-side to reject common XSS payloads (script tags, event handlers, javascript: URIs). Audit all chat history stored server-side to identify and sanitize any existing malicious payloads. Monitor the GitHub repository (https://github.com/0xN4no/CVE-2026-30048) and npm advisories for patch release announcements. For critical deployments, consider temporarily disabling the chat widget until patches are available and tested.

Share

EUVD-2026-12866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy