Skip to main content

Hijiffy Chatbot

2 CVEs product

Monthly

CVE-2026-4263 MEDIUM This Month

HiJiffy Chatbot contains an authorization bypass vulnerability in the /api/v1/webchat/message endpoint that allows unauthenticated attackers to download private messages from arbitrary users by manipulating the 'visitor' parameter. The vulnerability affects all versions of HiJiffy Chatbot (as indicated by the wildcard CPE) and has been reported by INCIBE. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass Hijiffy Chatbot
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-4262 MEDIUM This Month

An incorrect authorization vulnerability in HiJiffy Chatbot allows unauthenticated attackers to download private messages from arbitrary users by manipulating the 'ID' parameter in the '/api/v1/download/<ID>/' endpoint. This is a classic authorization bypass enabling unauthorized access to sensitive conversation data. No public exploit code or active exploitation has been identified at the time of analysis, though the vulnerability was reported by INCIBE and affects all versions of HiJiffy Chatbot. The exposure is direct and requires only network access to the affected API endpoint.

Authentication Bypass Hijiffy Chatbot
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
EPSS 0% CVSS 6.9
MEDIUM This Month

HiJiffy Chatbot contains an authorization bypass vulnerability in the /api/v1/webchat/message endpoint that allows unauthenticated attackers to download private messages from arbitrary users by manipulating the 'visitor' parameter. The vulnerability affects all versions of HiJiffy Chatbot (as indicated by the wildcard CPE) and has been reported by INCIBE. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass Hijiffy Chatbot
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

An incorrect authorization vulnerability in HiJiffy Chatbot allows unauthenticated attackers to download private messages from arbitrary users by manipulating the 'ID' parameter in the '/api/v1/download/<ID>/' endpoint. This is a classic authorization bypass enabling unauthorized access to sensitive conversation data. No public exploit code or active exploitation has been identified at the time of analysis, though the vulnerability was reported by INCIBE and affects all versions of HiJiffy Chatbot. The exposure is direct and requires only network access to the affected API endpoint.

Authentication Bypass Hijiffy Chatbot
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy