216.73.217.64

CVE-2025-51859

· Published 22/07/2025 15:15 · Modified 22/07/2025 16:15

Labels: CVE-2025-51859 2025-07-22CVE-2025-51859CWE-79[email protected]

Essential information

Published
22/07/2025 15:15
Modified
22/07/2025 16:15
Author
Creator
CVSS
6.5 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS metrics

Description

Stored Cross-Site Scripting (XSS) vulnerability in Chaindesk thru 2025-05-26 in its agent chat component. An attacker can achieve arbitrary client-side script execution by crafting an AI agent whose system prompt instructs the underlying Large Language Model (LLM) to embed malicious script payloads (e.g., SVG-based XSS) into its chat responses. When a user interacts with such a malicious agent or accesses a direct link to a conversation containing an XSS payload, the script executes in the user's browser. Successful exploitation can lead to the theft of sensitive information, such as JWT session tokens, potentially resulting in account hijacking.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
chaindesk / chaindesk cpe:2.3:a:chaindesk:chaindesk:*:*:*:*:*:*:*:*

References