Severity by source
AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Network delivery with authenticated sender (PR:L), legacy-browser precondition raises complexity (AC:H), victim click mandatory (UI:R), cross-user session impact drives S:C with limited C/I.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, the ImageElement component in packages/gazzodown renders user-controlled src values directly into <a href> and <img src> attributes without protocol sanitization. Unlike the analogous LinkSpan component - which uses sanitizeUrl to block javascript:, data:, and vbscript: protocols - ImageElement passes the raw URL through unchanged. An authenticated user can post a markdown image with a javascript: URL that, if clicked on an older browser, would execute arbitrary JavaScript in the viewer's session. This vulnerability is fixed in 8.5.0.
AnalysisAI
Stored XSS in Rocket.Chat's Gazzodown Markdown renderer allows authenticated users to inject javascript: protocol URIs into image elements that execute arbitrary JavaScript in a victim's browser session upon click. The ImageElement component in versions prior to 8.5.0 omits the sanitizeUrl() guard applied by the analogous LinkSpan component, creating an inconsistency that bypasses javascript:, data:, and vbscript: protocol blocking. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three simultaneous conditions: (1) The attacker must hold a valid authenticated Rocket.Chat account (PR:L) with permission to post messages containing Markdown image syntax in at least one shared channel or direct message thread. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 4.4 Medium score is consistent with the actual threat model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Rocket.Chat user posts a message containing a Markdown image with a javascript: URL as the src attribute, such as ). A second user viewing the channel on a legacy browser clicks the rendered image, triggering JavaScript execution in their session and exfiltrating their session token to an attacker-controlled server. … |
| Remediation | Vendor-released patch: Rocket.Chat 8.5.0, which applies equivalent protocol sanitization (sanitizeUrl) to the ImageElement component, closing the inconsistency with LinkSpan. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39089